Just from the first few lines in the emerge: ```$ sudo rm /var/cache/distfiles/make* && sudo rm -rf /var/tmp/portage/* && sudo emerge -av make These are the packages that would be merged, in order: Calculating dependencies... done! Dependency resolution took 1.04 s (backtrack: 0/20). [ebuild R ] dev-build/make-4.4.1-r1::gentoo USE="doc* nls verify-sig -guile -static -test" 2,294 KiB Total: 1 package (1 reinstall), Size of downloads: 2,294 KiB Would you like to merge these packages? [Yes/No] y >>> Verifying ebuild manifests >>> Emerging (1 of 1) dev-build/make-4.4.1-r1::gentoo >>> Downloading 'https://gentoo.osuosl.org/distfiles/c7/make-4.4.1.tar.gz' --2024-04-21 08:10:41-- https://gentoo.osuosl.org/distfiles/c7/make-4.4.1.tar.gz Resolving gentoo.osuosl.org... 2600:3404:200:237::2, 2600:3402:200:227::2, 2605:bc80:3010::134, ... Connecting to gentoo.osuosl.org|2600:3404:200:237::2|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 2348200 (2.2M) [application/x-gzip] Saving to: ‘/var/cache/distfiles/make-4.4.1.tar.gz.__download__’ /var/cache/distfile 100%[===================>] 2.24M 830KB/s in 2.8s 2024-04-21 08:10:44 (830 KB/s) - ‘/var/cache/distfiles/make-4.4.1.tar.gz.__download__’ saved [2348200/2348200] * make-4.4.1.tar.gz BLAKE2B SHA512 size ;-) ... [ ok ] >>> Downloading 'https://gentoo.osuosl.org/distfiles/ea/make-4.4.1.tar.gz.sig' --2024-04-21 08:10:44-- https://gentoo.osuosl.org/distfiles/ea/make-4.4.1.tar.gz.sig Resolving gentoo.osuosl.org... 2600:3402:200:227::2, 2600:3404:200:237::2, 2605:bc80:3010::134, ... Connecting to gentoo.osuosl.org|2600:3402:200:227::2|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 833 [application/pgp-signature] Saving to: ‘/var/cache/distfiles/make-4.4.1.tar.gz.sig.__download__’ /var/cache/distfile 100%[===================>] 833 --.-KB/s in 0s 2024-04-21 08:10:45 (1.31 GB/s) - ‘/var/cache/distfiles/make-4.4.1.tar.gz.sig.__download__’ saved [833/833] * make-4.4.1.tar.gz.sig BLAKE2B SHA512 size ;-) ... [ ok ] >>> Unpacking source... >>> Unpacking make-4.4.1.tar.gz to /var/tmp/portage/dev-build/make-4.4.1-r1/work >>> Unpacking make-4.4.1.tar.gz.sig to /var/tmp/portage/dev-build/make-4.4.1-r1/work unpack make-4.4.1.tar.gz.sig: file format not recognized. Ignoring. ``` This signature file doesn't have an unrecognized format, and, arguably, if it fails the signature validation for this reason, or any reason, it should throw an error rather than silently ignoring it. There doesn't seem to be a problem with the file or the signature: ``` $ gpg --import /usr/share/openpgp-keys/make.asc gpg: key 80CB727A20C79BB2: 2 signatures not checked due to missing keys gpg: /home/anthony/.gnupg/trustdb.gpg: trustdb created gpg: key 80CB727A20C79BB2: public key "Paul D. Smith <paul@mad-scientist.net>" imported gpg: key C880290BAE084F1D: public key "Boris Kolpackov <boris@kolpackov.net>" imported gpg: key 91C1262F01EB8D39: public key "Eli Zaretskii (eliz) <eliz@gnu.org>" imported gpg: key E78DAE0F3115E06B: public key "Eli Zaretskii <eliz@gnu.org>" imported gpg: Total number processed: 4 gpg: imported: 4 gpg: no ultimately trusted keys found $ gpg --verify make-4.4.1.tar.gz.sig gpg: assuming signed data in 'make-4.4.1.tar.gz' gpg: Signature made Sun 26 Feb 2023 12:06:19 PM PST gpg: using RSA key B2508A90102F8AE3B12A0090DEACCAAEDB78137A gpg: Good signature from "Paul D. Smith <paul@mad-scientist.net>" [unknown] gpg: aka "Paul D. Smith <psmith@gnu.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6D4E EB02 AD83 4703 510B 1176 80CB 727A 20C7 9BB2 Subkey fingerprint: B250 8A90 102F 8AE3 B12A 0090 DEAC CAAE DB78 137A ``` (I'm assuming the "no ultimately trusted keys found" and the "This key is not certified with a trusted signature!" are because I haven't imported the entire chain, but I'm going to assume that psmith@gnu.org's signature from the public key is actually legit.) Maybe whatever `verify-sig` uses doesn't like the signature file? `file` says it's an "old" PGP signature type: ``` $ file make-4.4.1.tar.gz.sig make-4.4.1.tar.gz.sig: PGP signature Signature (old) ``` But `gpg` doesn't have that problem, so I'm not sure. While I'm able to demonstrate this using the files from OSUOSL, I'm able to verify that both the tarball on OSUOSL's site and the tarball in https://ftp.gnu.org/gnu/make/ are the same, and produce the same error.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=85423df7972767095b2ad59d10b9c44857d74dc8 commit 85423df7972767095b2ad59d10b9c44857d74dc8 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-04-22 03:58:34 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-04-22 03:58:48 +0000 dev-build/make: fix USE=verify-sig in src_unpack Closes: https://bugs.gentoo.org/930392 Signed-off-by: Sam James <sam@gentoo.org> dev-build/make/make-4.4.1-r1.ebuild | 2 +- dev-build/make/make-9999.ebuild | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
before: $ rg git-r3_src_unpack -l | xargs grep -rsin "verify-sig" -l | xargs grep -L "verify-sig_" dev-build/make/make-9999.ebuild dev-build/make/make-4.4.1-r1.ebuild after: no results so no other cases, I think. Thanks!