git-credential-manager icon indicating copy to clipboard operation
git-credential-manager copied to clipboard

Published 20 hours ago verified publisher icon git-ecosystem

Verification of debian package signature failing for 'origin'

Open ian-m-carr opened this issue 1 year ago • 2 comments

I am trying to follow the instructions for verifying the signature of the debian install package.

I have the signature .gpg and policy file set up (Seem to be correct!)

When I run the signature verification on any of the packages since 2.4.0 and up to 2.5.0

debsig-verify -v gcm-linux_amd64.2.4.0.deb I get:

debsig: Starting verification for: gcm-linux_amd64.2.4.0.deb
debsig: Using policy directory: /etc/debsig/policies/3C853823978B07FA
debsig:   Parsing policy file: /etc/debsig/policies/3C853823978B07FA/generic.pol
debsig:     Checking Selection group(s).
debsig:       Processing 'origin' key...
debsig:     Selection group(s) passed, policy is usable.
debsig: Using policy file: /etc/debsig/policies/3C853823978B07FA/generic.pol
debsig:     Checking Verification group(s).
debsig:       Processing 'origin' key...
debsig:     Verification group failed checks.
debsig: Failed verification for gcm-linux_amd64.2.4.0.deb.

If I try an earlier say 2.3.2 the key appears to have changed:

debsig-verify -v gcm-linux_amd64.2.3.2.deb 
debsig: Starting verification for: gcm-linux_amd64.2.3.2.deb
debsig: Could not find Origin directory for EB3E94ADBE1229CF

Any ideas? Is the signature bad? the download corrupt? or something else?

Installed on Debian - Bookworm (12)

ian-m-carr avatar May 13 '24 10:05 ian-m-carr

I did the same and am seeing the same for 2.6

debsig: Starting verification for: gcm-linux_amd64.2.6.0.deb
debsig: Using policy directory: /etc/debsig/policies/3C853823978B07FA
debsig:   Parsing policy file: /etc/debsig/policies/3C853823978B07FA/generic.pol
debsig:     Checking Selection group(s).
debsig:       Processing 'origin' key...
debsig:     Selection group(s) passed, policy is usable.
debsig: Using policy file: /etc/debsig/policies/3C853823978B07FA/generic.pol
debsig:     Checking Verification group(s).
debsig:       Processing 'origin' key...
debsig:     Verification group failed checks.
debsig: Failed verification for gcm-linux_amd64.2.6.0.deb.

Misty-42 avatar Nov 01 '24 16:11 Misty-42

Bumping, and still failing for 2.6.1

debsig: Starting verification for: gcm-linux_amd64.2.6.1.deb
debsig: Using policy directory: /etc/debsig/policies/3C853823978B07FA
debsig:   Parsing policy file: /etc/debsig/policies/3C853823978B07FA/generic.pol
debsig:     Checking Selection group(s).
debsig:       Processing 'origin' key...
debsig:     Selection group(s) passed, policy is usable.
debsig: Using policy file: /etc/debsig/policies/3C853823978B07FA/generic.pol
debsig:     Checking Verification group(s).
debsig:       Processing 'origin' key...
debsig:     Verification group failed checks.
debsig: Failed verification for gcm-linux_amd64.2.6.1.deb.

sudo-liljoa avatar Jun 02 '25 07:06 sudo-liljoa