Bug#732450: debian/watch: help uscan verify PGP signature automatically
Package: src:apache2
Version: 2.4.6-3
Severity: normal
Tags: patch
uscan from devscripts 2.13.3 has the ability to check OpenPGP
signatures on new upstream releases.
It looks like Jim Jagielski is signing apache2 releases (at least
those from 2.2 onward, which are all that we care about) with his key
with fingerprint A93D 62EC C3C8 EA12 DB22 0EC9 34EA 76E6 7914 85A8.
So to get uscan to verify this automatically, you'd do:
FINGERPRINT='A93D 62EC C3C8 EA12 DB22 0EC9 34EA 76E6 7914 85A8'
gpg --keyserver keys.gnupg.org --recv "$FINGERPRINT"
cd src/apache2
gpg --export "$FINGERPRINT" > debian/upstream-signing-key.pgp
and then you'd modify add the pgpsigurlmangle option to debian/watch
so it looks like this:
------------------
version=3
opts=pgpsigurlmangle=s/$/.asc/ http://www.apache.org/dist/httpd/httpd-(\d\.[02468]\.\d+)\.tar\.gz
------------------
Thanks for maintaining apache2 in debian!
Regards,
--dkg
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.11-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Reply to: