* On 2026-01-04 at 06:19 GMT, Taylor R Campbell wrote:
security/netpgpverify: Handle issuer fingerprint subpackets.
Thank you! I can confirm this works with my newer gpg2-signed packages, and I can now drop my local patch for this.
This is an extremely dodgy stop-gap measure to verify signatures produced by gpg2. It does nothing to address pervasive problems in netpgpverify, like PR security/57449 or PR bin/59823, or even more narrowly scoped problems with using keyids instead of fingerprints. I'm a little reluctant to even commit this stop-gap because the problems are so bad, and a band-aid won't fix a spurting carotid.
Unfortunately nobody other than me is interested in signed packages, but despite the issues both myself and my users are very grateful it works.
Cheers, -- Jonathan Perkin pkgsrc.smartos.org Open Source Complete Cloud www.tritondatacenter.com