@mgorny@social.treehouse.systems2024-05-07 12:20:33
The latest Django releases were signed by another person, so I needed to update the #Gentoo keyring used to verify them. The keyring is created via fetching the #PGP keys from different sources, and then concatenating them to a single file. However, today I wasn't able to get the new key to work! Or more precisely, to get #GnuPG to correctly import the concatenated keys.
It simply imported 3 out of 4 keys, with no error or whatever. I've scratched my head, tried removing one old key that wasn't used by any of the current releases — then got 2 out of 3. I've tried reordering the keys, but then the other necessary key was ignored. I ran out of time and gave up for the moment.
Now, I've taken another look… and I've found the issue. Turns out that #GitHub, in their magic `.gpg` URLs, is outputting the ASCII-armored #OpenPGP keys without a trailing newline. While this technically isn't broken if the key is imported directly, concatenating it to another key creates a broken file with:
```
-----END PGP PUBLIC KEY BLOCK----------BEGIN PGP PUBLIC KEY BLOCK-----
```
and *of course* GnuPG silently ignores the later key instead of reporting a problem.
https://github.com/orgs/community/discussions/122729
