Re: Bug#833585: lintian: Check presence of upstream signature if signing key available

[Osamu Aoki <osamu@debian.org>]

Hi, (This is RFH)

On Mon, Aug 21, 2017 at 09:43:13AM +0200, Kurt Roeckx wrote:
> On Mon, Aug 21, 2017 at 09:30:41AM +0200, Vincent Bernat wrote:
> >  ❦ 15 juillet 2017 23:06 +0100, Chris Lamb <lamby@debian.org> :
...
> > Integration with uscan is not done either.

The stretch uscan has download and verification included.  The buster
uscan is aiming to do the proper renaming to match dpkg-source
expectation.

> There is a bug against uscan to do this, I understand that it's
> been committed just not uploaded yet.

Yes.  With test script run on the build time, I confirmed it is working.
(Cross my fingers)

The updated uscan should support typical upstream combinations:
 1) (foo-ver.tar.gz, foo-ver.tar.gz.{pgp,gpg,sgn,sign,asc})
    -> (foo_ver.tar.orig.gz, foo_ver.orig.tar.gz.asc)
 2) (foo-ver.tar.gz, foo-ver.tar.{pgp,gpg,sgn,sign,asc})
    -> (foo_ver.tar.orig.gz, foo_ver.orig.tar.asc)

I think the output of 1) is supported by the stretch dpkg-source but I
am not sure for the output of 2).

There is another way of signing package: non-detached signature
with gpg -s or gpg -sa.  Not so popular but there were wishlist bug for
it in BTS.  For such an upstream file, I wish to convert to 
    -> (foo_ver.tar.orig.gz, foo_ver.orig.tar.gz.asc)
I know how to get the foo_ver.tar.orig.gz but the conversion of
signature to detached format seems non-intuitive task.  Your expert help
on gpg trick is most appreciated.

Regards,

Osamu