We use SpamAssassin's sa-update to update the Spam rules. Since upgrading to app-crypt/gnupg-2.0.9 this doesn't work anymore command> sa-update -D Here are the relevant parts of the debugging output: Before upgrading: ================= ... [12796] dbg: gpg: calling gpg [12796] dbg: gpg: gpg: Signature made Wed Apr 16 11:28:44 2008 CEST using RSA key ID 24F434C E [12796] dbg: gpg: gpg: WARNING: signing subkey 24F434CE is not cross-certified [12796] dbg: gpg: gpg: please see http://www.gnupg.org/faq/subkey-cross-certify.html for mor e information [12796] dbg: gpg: [GNUPG:] SIG_ID 7agI00MS5ABPxnYnYHTQ8g3rxog 2008-04-16 1208338124 [12796] dbg: gpg: [GNUPG:] GOODSIG 6C55397824F434CE updates.spamassassin.org Signing Key <re lease@spamassassin.org> [12796] dbg: gpg: gpg: Good signature from "updates.spamassassin.org Signing Key <release@sp amassassin.org>" [12796] dbg: gpg: [GNUPG:] VALIDSIG 0C2B1D7175B852C64B3CDC716C55397824F434CE 2008-04-16 1208 338124 0 3 0 1 2 00 5E541DC959CB8BAC7C78DFDC4056A61A5244EC45 [12796] dbg: gpg: [GNUPG:] TRUST_UNDEFINED [12796] dbg: gpg: gpg: WARNING: This key is not certified with a trusted signature! ... sa-update doesn't terminate here, everything works fine After upgrading: ================ ... [24121] dbg: gpg: calling gpg [24121] dbg: gpg: gpg: Signature made Wed Apr 16 11:28:44 2008 CEST using RSA key ID 24F434CE [24121] dbg: gpg: gpg: WARNING: signing subkey 24F434CE is not cross-certified [24121] dbg: gpg: gpg: please see http://www.gnupg.org/faq/subkey-cross-certify.html for more information [24121] dbg: gpg: [GNUPG:] ERRSIG 6C55397824F434CE 1 2 00 1208338124 1 [24121] dbg: gpg: gpg: Can't check signature: General error error: GPG validation failed! The update downloaded successfully, but the GPG signature verification failed. channel: GPG validation failed, channel failed [24121] dbg: generic: cleaning up temporary directory/files [24121] dbg: diag: updates complete, exiting with code 4 sa-update terminates here with error exit! Reproducible: Always Steps to Reproduce: 1. sa-update -D 2. 3.
A workaround is to add the '--nogpg' option to the sa-update command line.
There's an entry on the spamassassin wiki about this: http://wiki.apache.org/spamassassin/SaUpdateKeyNotCrossCertified Follow the instructions there to import the new GPG key: wget http://spamassassin.apache.org/updates/GPG.KEY sa-update --import GPG.KEY sa-update should now work.
Just as additional comment, this seems to be fixed upstream as of spamassassin svn rev. 610699, but not in any release yet. See https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5775
This is fixed in spamassassin 3.2.5. From the spamassassin 3.2.5 announcement: ... - bug 5775: newer gpg versions require keys to be cross-certified (backsig). Did a cross-verify on our sa-update public key and re-exported. If you are already seeing "GPG validation failed" errors from sa-update, see http://wiki.apache.org/spamassassin/SaUpdateKeyNotCrossCertified .) ... (http://svn.apache.org/repos/asf/spamassassin/branches/3.2/build/announcements/3.2.5.txt) Marked as duplicate of bug #228557 *** This bug has been marked as a duplicate of bug 228557 ***
