I suspect this may be due to gpg updates, not git, but I'm about to
leave for the airport in an hour and don't have time to look into it
more closely right now.
Because of the imminent travel, I did a "git pull" on my laptop, and
it doesn't have all the pgp keys I have on my desktop. It was a signed
tag, but the pull results in:
commit bfeb4f9977348daaaf7283ff365d81f7ee95940a
merged tag 'zonefs-5.6-rc4'
No signature
Merge: 45d0b75b98bf 0dda2ddb7ded
Author: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Date: 5 minutes ago
Merge tag 'zonefs-5.6-rc4' of
git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/zonefs
Pull zonefs fixes from Damien Le Moal:
"Two fixes in here:
....
and notice the "No signature". It's entirely wrong. There _is_ a
signature, it's just that we don't have the key.
And the "No signature" thing is particularly unhelpful, because it now
doesn't show us what key is missing, like it used to.
"git verify-tag" still works correctly:
[torvalds@xps13 linux]$ git verify-tag FETCH_HEAD
gpg: Signature made Fri 28 Feb 2020 12:03:36 AM PST
gpg: using EDDSA key 913EFF2D612BE1C00CC97738DDA1CDD2C5DA1876
gpg: Can't check signature: No public key
and shows the key ID, and properly says "Can't check signature" (which
is very very different from "No signature").
This is a big regression. The "No signature" message really is
completely incorrect, and is very very wrong indeed.
I suspect it's due to this commit:
72b006f4bf ("gpg-interface: prefer check_signature() for GPG verification")
but as mentioned I don't have the ability to really dig deeper right now.
Linus
