Subject: various tests: gpg: WARNING: "--secret-keyring" is an obsolete option - it has no effect
Date: Sat, 28 Oct 2023 19:31:13 -0400
Package: devscripts
Version: 2.23.6
Severity: normal
Hi,
While creating a local bpo of devscripts 2.23.6 I noticed many
warnings like this:
gpg: WARNING: "--secret-keyring" is an obsolete option - it has no effect
in the build log. They are also visible on autobuilders
https://buildd.debian.org/status/fetch.php?pkg=devscripts&arch=all&ver=2.23.6&stamp=1692766249&raw=0https://ci.debian.net/data/autopkgtest/unstable/amd64/d/devscripts/39069460/log.gz
etc.
From what I've read this might be an old gpg2 migration bug; although,
I seem to remember reading that it only affects >= gnupg 2.1. Either
way, builds pass, it looks like we may have successfully released
bookworm despite this issue, and so maybe we can just drop this
argument (as well as the secret key identifier)?
$ ag secret-keyring
test/lib_test_uscan
89: --secret-keyring "$PRIVATE_KEYRING" --default-key \
test/test_mk-origtargz
99: --secret-keyring "$PRIVATE_KEYRING"
test/test_package_lifecycle
73: --secret-keyring $PRIVATE_KEYRING --default-key 72543FAF \
test/test_uscan_ftp
184: --secret-keyring $PRIVATE_KEYRING --default-key 72543FAF \
189: --secret-keyring $PRIVATE_KEYRING --default-key 72543FAF \
test/test_uscan_mangle
211: --secret-keyring $PRIVATE_KEYRING --default-key 72543FAF \
216: --secret-keyring $PRIVATE_KEYRING --default-key 72543FAF \
221: --secret-keyring $PRIVATE_KEYRING --default-key 72543FAF \
Does someone see a better solution, or would you like me to take care
of deleting "--secret-keyring $PRIVATE_KEYRING"? Alternatively, is
there someone whose is taking care of gnupg2 migration issues? This
is the second bug I found, and I wonder if I should be CCing someone.
No, I don't want to make gnupg2 migration a project of mine ;)
Regards,
Nicholas
Acknowledgement sent
to "Diederik de Haas" <[email protected]>:
Extra info received and forwarded to list. Copy sent to Devscripts Maintainers <[email protected]>.
(Fri, 21 Mar 2025 12:30:01 GMT) (full text, mbox, link).
On Sun Oct 29, 2023 at 1:31 AM CEST, Nicholas D Steeves wrote:
> Package: devscripts
> Version: 2.23.6
> Severity: normal
>
> While creating a local bpo of devscripts 2.23.6 I noticed many
> warnings like this:
>
> gpg: WARNING: "--secret-keyring" is an obsolete option - it has no effect
>
> in the build log. They are also visible on autobuilders
I noticed these warnings in Salsa's CI too, so did a bit of digging.
https://dev.gnupg.org/T2749 "gpg --secret-keyring is silently ignored"
Caused the issue to no longer be *silently* ignored, hence the warning.
Later in that bug report was a mention to the GnuPG 2.1 release notes:
https://www.gnupg.org/download/release_notes.html#gnupg-2.1.0
which is a massive list, but this page is more useful:
https://www.gnupg.org/faq/whats-new-in-2.1.html and then especially:
https://www.gnupg.org/faq/whats-new-in-2.1.html#nosecring
Quoting some relevant parts:
gpg used to keep the public key pairs in two files: pubring.gpg and
secring.gpg. The only difference is that secring stored in addition to
the public part also the private part of the key pair. The secret
keyring thus contained only the keys for which a private key is
available, that is the user’s key.
The design of GnuPG-2 demands that only the gpg-agent has control over
the private parts of the keys ...
With GnuPG 2.1 this changed and gpg now also delegates all private key
operations to the gpg-agent. Thus there is no more code in the gpg
binary for handling private keys.
The commit which now trigger that gpg warning was:
e841bf5ba5b8 ("test_uscan_mangle: test signature")
But unfortunately it doesn't describe what it intended to do with those
test, which may be needed in order to (properly) rewrite that test code.
I don't know how to fix it, but hopefully this additional info is still
useful.
Cheers,
Diederik
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.