Control: tag -1 moreinfo
On Sat, Feb 25, 2017 at 01:04:54PM +0000, Martin-Éric Racine wrote:
> It appears that debian-watch-may-check-gpg-signature generates false positives.
>
> On src:cups-pdf Lintian reports debian-watch-may-check-gpg-signature
> yet upstream does not publish any GPG signature. However, upstream
> does publish foo.tar.gz.md5 checksums.
lintian has no knowledge, nor has any way to know that a given upstream
publish gpg signatures…
> By the looks of it, debian-watch-may-check-gpg-signature checks for
> the presence of foo.tar.gz.* and reports a positive regardless of
> whether * indeed is a GPG signature or not.
How do you infer that? I find the relevant code pretty clear:
| $withgpgverification = 1
| if /^pgpsigurlmangle\s*=\s*/;
| $withgpgverification = 1
| if /^pgpmode\s*=\s*(?!none\s*$)\S.*$/;
|....
| tag 'debian-watch-may-check-gpg-signature' unless ($withgpgverification);
the problem is that your watch file does not check for a gpg signature,
exactly as the tag says. And as the tag description says:
N: If upstream distributions provide such signatures, please use the
N: pgpsigurlmangle options in this watch file's opts= to generate the URL
N: of an upstream GPG signature. This signature is automatically
N: downloaded and verified against a keyring stored in
N: debian/upstream/signing-key.asc.
(instead of pgpsigurlmangle you can use pgpmode=auto if uscan is clever
enough for this case)
does this solve your issue?
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
more about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
Attachment:
signature.asc
Description: PGP signature