apt-get source <package> fails to verify signatures on any packages
$ apt-get source dpkg-dev Reading package lists... Done Picking 'dpkg' as source package instead of 'dpkg-dev' Selected version '1.18.10' (testing) for dpkg NOTICE: 'dpkg' packaging is maintained in the 'Git' version control system at: https://anonscm.debian.org/git/dpkg/dpkg.git Please use: git clone https://anonscm.debian.org/git/dpkg/dpkg.git to retrieve the latest (possibly unreleased) updates to the package. Need to get 4,647 kB of source archives. Get:1 http://10.1.0.3:3142/auto.mirror.devuan.org/merged ascii/main dpkg 1.18.10 (dsc) [2,030 B] Get:2 http://10.1.0.3:3142/auto.mirror.devuan.org/merged ascii/main dpkg 1.18.10 (tar) [4,645 kB] Fetched 4,647 kB in 3s (1,386 kB/s) gpgv: unknown type of key resource 'trustedkeys.kbx' gpgv: keyblock resource '/home/omega/.gnupg/trustedkeys.kbx': General error gpgv: Signature made Sun 31 Jul 2016 15:34:20 BST gpgv: using RSA key B972BF3EA4AE57A3 gpgv: Can't check signature: No public key dpkg-source: warning: failed to verify signature on ./dpkg_1.18.10.dsc dpkg-source: info: extracting dpkg in dpkg-1.18.10 dpkg-source: info: unpacking dpkg_1.18.10.tar.xz
Ignoring the other errors, the key bit here is 'gpgv: Can't check signature: No public key'.
After some investigation, it turns out that Devuan is missing a bit of distro-specific customisation to separate it from Debian - in '/etc/dpkg/origins', Devuan is clearly a different 'vendor' from Debian. Through this, the dpkg system wants to find the 'Devuan' vendor when its looking for configuration.
The tool that actually forks off gpgv to check the *.dsc file is dpkg-source, and in order to determine the keyring arguments to pass to gpgv, it checks the appropriate 'vendor' perl module (why isn't this in some normal config file??) - these are stored in '/usr/share/perl5/Dpkg/Vendor'. Note there is no Devuan.pm here.
So in the normal case, Debian.pm:run_hook is called with 'keyrings', and subsequently returns '/usr/share/keyrings/debian-keyring.gpg' and '/usr/share/keyrings/debian-maintainers.gpg' - as there is no Devuan file, no system keyrings are returned at all, just the user's keyring by default.
Currently I've just seen this affect apt-get source, but I have no idea if anything else relies on the appropriate 'vendor' file in '/usr/share/perl5/Dpkg/Vendor' - regardless, this is a security breach.
User workaround: Since we now know where this config is kept and therefore what keyrings to use, just call gpgv yourself in the right directory:
gpgv --keyring /usr/share/keyrings/debian-keyring.gpg --keyring /usr/share/keyrings/debian-maintainers.gpg *.dsc
Note for random readers: Once the dsc has been checked out, make sure to hash the upstream and Debian tars and compare with the hashes reported in the dsc, otherwise no real checking has been done at all.
Devuan Ascii apt: 1.3.1 dpkg-dev 1.18.10 (provides dpkg-source)