Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at

Bug 1801338

Summary: Changes to gpgv options used in debmirror 2.33 break gpg signature verification.
Product: [Fedora] Fedora EPEL Reporter: Donald Ledford <ledfordd>
Component: debmirrorAssignee: Sergio Basto <sergio>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: epel7CC: puiterwijk, sergio
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Fixed In Version: debmirror-2.30-4.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-16 16:06:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Donald Ledford 2020-02-10 16:53:26 UTC
Description of problem: The 2.33-1 update to debmirror breaks syncing DEB repos with gpg signature verification enabled.

Version-Release number of selected component (if applicable): 2.33-1.el7

How reproducible: Update debmirror from 2.32-1 to 2.33-1 and attempt to sync a DEB repo with signature verification enabled.

Steps to Reproduce:
1. Update debmirror to 2.33-1
2. Sync DEB mirror with GPG signature verification turned on.

Actual results: 
debmirror reports an error with the message:
gpgv: invalid option "--output"
.temp/.tmp/dists/xenial/Release.gpg signature does not verify.

Expected results:
The repo syncs without errors.

Downgrade debmirror from 2.33 to 2.32.

Additional info:
This appears to be happening because the version of GPG in CentOS 7, 2.0.22, does not have the "--output" option.

Line 2255 in debmirror 2.33 is:
my @gpgv = qw(gpgv --output - --status-fd);

The gpgv call in debmirror 2.32 is made on line 2160 and does not contain the "--output" option:
my @gpgv = qw(gpgv --status-fd 1);

Rebasing GPG2 for CentOS/RHEL 7 to a newer 2.2.x release would resolve this issue but it's probably easier to back the change out of debmirror.

Comment 1 Donald Ledford 2020-02-10 16:56:33 UTC
Sorry, I meant 2.30-1 not 2.32-1 in the above comment.

Comment 2 Sergio Basto 2020-02-12 07:19:10 UTC
Thank you for the report 

use mean just remove "--output -" fixes the problem ?

Comment 3 Donald Ledford 2020-02-12 16:48:43 UTC
I'm not sure that just removing "--output -" would resolve the issue. 

It appears the code changes between 2.30 and 2.33 added lines to dynamically change the "--status-fd" FD number at runtime. The code appears to check the gpgv STDOUT for a good signature message. If --status-fd isn't 1 or 2 the Perl code may not get the gpgv command output to check. I'm guessing that "--output -" was added so the output is always sent to STDOUT and other messages can be sent to other FD descriptors with the dynamic "--status-fd" FD option.

The code change for this functionality was done in commit 3b5c84e534e52f51e0a6373223483f1130d45e3e in response to Debian bug 918304. The first release of debmirror with these changes was version 2.31.

See here:

and here:

I'll be honest, I'm not a programmer and Perl isn't a language I'm super familiar with so I'm guessing on the above analysis.

I reverted the debmirror package to 2.30-1 and pinned it on my production system to work around this bug. My repos are still syncing correctly with the 2.30-1 package and GPG signature verification turned on.

Comment 4 Sergio Basto 2020-02-15 03:01:55 UTC
OK, no worries,  maybe the best is rollback to debmirror-2.30 in el7 , isn't it .

Thanks for the report

Comment 5 Fedora Update System 2020-03-01 23:07:51 UTC
debmirror-2.30-4.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See for
instructions on how to install test updates.
You can provide feedback for this update here:

Comment 6 Fedora Update System 2020-03-16 16:06:11 UTC
debmirror-2.30-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.