git-credential-manager icon indicating copy to clipboard operation
git-credential-manager copied to clipboard
verified publisher icon git-ecosystem

[BUG] Error when trying to validate the package signature after downloading.

Open GAC-Machine opened this issue 1 month ago • 1 comments

Description

Trying to install git credential manager (GCM) on Desktop (Linux).

When executing each command listed in the below code block, everything goes well, except for the last step when verifying the .deb file just downloaded.

# Install needed packages
apt-get install -y curl debsig-verify

# Download public key signature file
curl -s https://api.github.com/repos/git-ecosystem/git-credential-manager/releases/latest \
| grep -E 'browser_download_url.*gcm-public.asc' \
| cut -d : -f 2,3 \
| tr -d \" \
| xargs -I 'url' curl -L -o gcm-public.asc 'url'

# De-armor public key signature file
gpg --output gcm-public.gpg --dearmor gcm-public.asc

# Note that the fingerprint of this key is "3C853823978B07FA", which you can
# determine by running:
gpg --show-keys gcm-public.asc | head -n 2 | tail -n 1 | tail -c 17

# Copy de-armored public key to debsig keyring folder
mkdir /usr/share/debsig/keyrings/3C853823978B07FA
mv gcm-public.gpg /usr/share/debsig/keyrings/3C853823978B07FA/

# Create an appropriate policy file
mkdir /etc/debsig/policies/3C853823978B07FA
cat > /etc/debsig/policies/3C853823978B07FA/generic.pol << EOL
<?xml version="1.0"?>
<!DOCTYPE Policy SYSTEM "https://www.debian.org/debsig/1.0/policy.dtd">
<Policy xmlns="https://www.debian.org/debsig/1.0/">

  <Origin Name="Git Credential Manager" id="3C853823978B07FA" Description="Git Credential Manager public key"/>

  <Selection>
    <Required Type="origin" File="gcm-public.gpg" id="3C853823978B07FA"/>
  </Selection>

  <Verification MinOptional="0">
    <Required Type="origin" File="gcm-public.gpg" id="3C853823978B07FA"/>
  </Verification>

</Policy>
EOL

# Download Debian package
curl -s https://api.github.com/repos/git-ecosystem/git-credential-manager/releases/latest \
| grep "browser_download_url.*deb" \
| cut -d : -f 2,3 \
| tr -d \" \
| xargs -I 'url' curl -L -o gcm.deb 'url'

# Verify
debsig-verify gcm.deb

What this could be related to? I'll try to download the .deb file manually and using a package manager (GUI) to install it.

Error

$ debsig-verify gcm.deb
debsig: Failed verification for gcm.deb.

Specs

OS > kubuntu 24.04.03 LTS DE > KDE Plasma version 5.27.12

Additional information

Resource referred.

*If you'd like to validate the package's signature after downloading, check out the instructions here.

GAC-Machine avatar Dec 07 '25 22:12 GAC-Machine

Isn't this a straight-up duplicate of #2028?

dscho avatar Dec 08 '25 13:12 dscho

This issue is a duplicate of #2028. Closing as duplicate.

ridgunn avatar Dec 11 '25 14:12 ridgunn