baz signing failure should be more visible
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| bazaar (Ubuntu) |
Invalid
|
Medium
|
MOTU | ||
Bug Description
If you have a default check for signed archives, but haven't imported the public key of the one signing the archive, it is easy to miss the "gpg: public key not found" in the large amounts of noise bazaar makes:
* checking for <email address hidden>
gpg: Signature made tir 08-03-2005 13:45:51 CET using DSA key ID 84AD676C
gpg: Can't check signature: public key not found
*******
INVALID SIGNATURE ON REVISION!
archive: <email address hidden>
revision dpkg--devel-
checksum file: checksum
*******
trouble reading checksum file for <email address hidden>
It would be nice if baz offered to download the key or at least show that "key missing" was the failure, not "this archive seems to be compromised".
| Changed in bazaar: | |
| assignee: | nobody → bazaar-developers |
| Robert Collins (lifeless) wrote | #1 |
| Changed in bazaar: | |
| assignee: | bazaar-developers → nobody |
| Changed in bazaar: | |
| assignee: | nobody → motu |
| status: | New → Rejected |
"Can't check signature: public key not found" seems fairly clear to me. With the older gpg signing scripts we dont get any more visiblility than that.
I'm betting you are using baz 1.3, or have not run baz upgrade for baz 1.4.