wiki:Linux/Ubuntu/Packages/BackportingUsingPrevu

Backporting Using Prevu

The prevu package is used to automate the backporting of packages from the current development release of Ubuntu to a stable release. It is pretty simple to use but there are a couple of gotchya's caused by scripts it calls on in the devscripts package that require workarounds:

  1. dscverify doesn't check Ubuntu archive digital keys when verifying source package signatures, thus causing it to fail
  2. dscverify fails with some development packages because they are signed by an individual developer's key, not the Ubuntu archive or master key.

The first issue will cause:

dscverify: can't find any Debian keyrings

The fix is to add

/usr/share/keyrings/ubuntu-archive-keyring.gpg
/usr/share/keyrings/ubuntu-master-keyring.gpg

to the list of key-rings checked in the devscript /usr/bin/dscverify'

I've posted debdiff patches to the bug report on Launchpad for this:  Bug #228296: dscverify does not find Debian keyring

The second issue is solved by adding a custom setting to ~/.devscripts configuration:

DSCVERIFY_KEYRINGS=~/.gnupg/pubring.pgp

This causes dscverify to pass the user public key-ring to gpg.

Now, when a package key can't be found in the public keyring its ID can be used to import the key into the user key-ring:

gpg: Signature made Sun 03 Aug 2008 11:51:28 BST using DSA key ID 1F41B907
gpg: Can't check signature: public key not found

gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 1F41B907

Now the package signature should verify from the new public key in the user key-ring.