Debian package signature verification fails

[ian-m-carr]

I am trying to follow the instructions for verifying the signature of the debian install package.

I have the signature .gpg and policy file set up (Seem to be correct!)

When I run the signature verification on any of the packages since 2.4.0 and up to 2.5.0

> debsig-verify -v gcm-linux_amd64.2.4.0.deb
I get:

debsig: Starting verification for: gcm-linux_amd64.2.4.0.deb
debsig: Using policy directory: /etc/debsig/policies/3C853823978B07FA
debsig:   Parsing policy file: /etc/debsig/policies/3C853823978B07FA/generic.pol
debsig:     Checking Selection group(s).
debsig:       Processing 'origin' key...
debsig:     Selection group(s) passed, policy is usable.
debsig: Using policy file: /etc/debsig/policies/3C853823978B07FA/generic.pol
debsig:     Checking Verification group(s).
debsig:       Processing 'origin' key...
debsig:     Verification group failed checks.
debsig: Failed verification for gcm-linux_amd64.2.4.0.deb.

If I try an earlier say 2.3.2 the key appears to have changed:

debsig-verify -v gcm-linux_amd64.2.3.2.deb 
debsig: Starting verification for: gcm-linux_amd64.2.3.2.deb
debsig: Could not find Origin directory for EB3E94ADBE1229CF

Any ideas? Is the signature bad? the download corrupt? or something else?

Installed on Debian - Bookworm (12)