[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#732450: debian/watch: help uscan verify PGP signature automatically

Package: src:apache2
Version: 2.4.6-3
Severity: normal
Tags: patch

uscan from devscripts 2.13.3 has the ability to check OpenPGP
signatures on new upstream releases.

It looks like Jim Jagielski is signing apache2 releases (at least
those from 2.2 onward, which are all that we care about) with his key
with fingerprint A93D 62EC C3C8 EA12 DB22 0EC9 34EA 76E6 7914 85A8.

So to get uscan to verify this automatically, you'd do:

 FINGERPRINT='A93D 62EC C3C8 EA12 DB22 0EC9 34EA 76E6 7914 85A8'
 gpg --keyserver keys.gnupg.org --recv "$FINGERPRINT"
 cd src/apache2
 gpg --export "$FINGERPRINT" > debian/upstream-signing-key.pgp

and then you'd modify add the pgpsigurlmangle option to debian/watch
so it looks like this:

opts=pgpsigurlmangle=s/$/.asc/ http://www.apache.org/dist/httpd/httpd-(\d\.[02468]\.\d+)\.tar\.gz

Thanks for maintaining apache2 in debian!



-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.11-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Reply to: