Description: Fix GPG signature verification to wrap all GpgError exceptions
 The GPGSignatureVendor.verify() method only caught gpg.errors.BadSignatures,
 but invalid signature data can cause GPGMEError (a sibling class, not parent)
 to be raised instead. Both BadSignatures and GPGMEError inherit from GpgError.
 .
 This patch catches gpg.errors.GpgError (the common base class) so that both
 BadSignatures and GPGMEError are wrapped in BadSignature exceptions.
 .
 Additionally, handle the case where ctx.verify() returns successfully but
 with no signatures (as can happen with some GPGME versions when given
 completely invalid signature data).
Author: Jelmer Vernooĳ <jelmer@jelmer.uk>
Bug-Debian: https://bugs.debian.org/1126635
Bug-Debian: https://bugs.debian.org/1127667
Bug-Debian: https://bugs.debian.org/1131202
Forwarded: not-needed
Last-Update: 2026-03-24

Index: dulwich-debian/dulwich/signature.py
===================================================================
--- dulwich-debian.orig/dulwich/signature.py
+++ dulwich-debian/dulwich/signature.py
@@ -281,6 +281,10 @@ class GPGSignatureVendor(SignatureSigner
                     signature=signature,
                 )
 
+                # Check that we actually got valid signatures
+                if not result.signatures:
+                    raise BadSignature("GPG signature verification failed: no signatures found")
+
                 # Check minimum trust level if configured
                 if self.min_trust_level is not None:
                     min_validity = trust_level_map.get(self.min_trust_level)
@@ -306,7 +310,7 @@ class GPGSignatureVendor(SignatureSigner
                         signing_keys=signing_fprs,
                         trusted_keys=list(self.keyids),
                     )
-        except gpg.errors.BadSignatures as e:
+        except gpg.errors.GpgError as e:
             raise BadSignature(f"GPG signature verification failed: {e}") from e
 
 
Index: dulwich-debian/tests/test_signature.py
===================================================================
--- dulwich-debian.orig/tests/test_signature.py
+++ dulwich-debian/tests/test_signature.py
@@ -142,11 +142,13 @@ class GPGSignatureVendorTests(unittest.T
 
     def test_verify_invalid_signature(self) -> None:
         """Test that verify raises an error for invalid signatures."""
+        from dulwich.signature import BadSignature
+
         vendor = GPGSignatureVendor()
         test_data = b"test data"
         invalid_signature = b"this is not a valid signature"
 
-        with self.assertRaises(gpg.errors.GPGMEError):
+        with self.assertRaises(BadSignature):
             vendor.verify(test_data, invalid_signature)
 
     def test_sign_with_keyid(self) -> None:
