Re: Bug#833585: lintian: Check presence of upstream signature if signing key available
Hi, (This is RFH)
On Mon, Aug 21, 2017 at 09:43:13AM +0200, Kurt Roeckx wrote:
> On Mon, Aug 21, 2017 at 09:30:41AM +0200, Vincent Bernat wrote:
> > ❦ 15 juillet 2017 23:06 +0100, Chris Lamb <lamby@debian.org> :
...
> > Integration with uscan is not done either.
The stretch uscan has download and verification included. The buster
uscan is aiming to do the proper renaming to match dpkg-source
expectation.
> There is a bug against uscan to do this, I understand that it's
> been committed just not uploaded yet.
Yes. With test script run on the build time, I confirmed it is working.
(Cross my fingers)
The updated uscan should support typical upstream combinations:
1) (foo-ver.tar.gz, foo-ver.tar.gz.{pgp,gpg,sgn,sign,asc})
-> (foo_ver.tar.orig.gz, foo_ver.orig.tar.gz.asc)
2) (foo-ver.tar.gz, foo-ver.tar.{pgp,gpg,sgn,sign,asc})
-> (foo_ver.tar.orig.gz, foo_ver.orig.tar.asc)
I think the output of 1) is supported by the stretch dpkg-source but I
am not sure for the output of 2).
There is another way of signing package: non-detached signature
with gpg -s or gpg -sa. Not so popular but there were wishlist bug for
it in BTS. For such an upstream file, I wish to convert to
-> (foo_ver.tar.orig.gz, foo_ver.orig.tar.gz.asc)
I know how to get the foo_ver.tar.orig.gz but the conversion of
signature to detached format seems non-intuitive task. Your expert help
on gpg trick is most appreciated.
Regards,
Osamu
Reply to: