[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Upstream Tarball Signature Files

Dear All,

On Tue, Aug 15, 2017 at 7:25 AM, Osamu Aoki <osamu@debian.org> wrote:
>
> Hi,
>
> On Mon, Aug 14, 2017 at 10:13:10AM -0700, Russ Allbery wrote:
> > Henrique de Moraes Holschuh <hmh@debian.org> writes:
> >
> > > May I humbly suggest that, *if* a change is going to be made, we switch
> > > to ".sig" (binary) and ".sig.asc" (armored), or .sig.gpg / sig.gpg.asc?
> > > As in "let's not overload .asc to mean armored signature, when it only
> > > means ASCII text"...
> >
> > [Russ Allbery] Note that I'm arguing for no change, just documenting the existing support
> > for *.asc upstream signatures.  This will imply that anyone who wants to
> > include an upstream signature that's provided in *.sig format will need to
> > convert it to *.asc, but that's not a *change*.  That's the current state
> > of the archive.
>
> Very good points.  I changed my mind a bit.
>
> Basically, its better to have uniform rules for format so all associated
> tools become simple.  Tools like uscan may accept any signature format,
> but the tools at the level of dpkg and archive maintenance tools should
> be simple.
>
> I like to use *.asc as signature file.  (Uscan may convert)
>
> Also, maybe policy just mandate debian/upstream/signing-key.asc for key
> ring.
>
> Osamu

I have put together "sig2asc" and "asc2sig" shell scripts.  Each
script takes two arguments: input signature file name and output
signature file name.  If an input file is the desired output format,
it is copied to the output file; otherwise it is converted.  I do a
grep for "BEGIN PGP SIGNATURE" to determine if the file is in ASCII
format.  Round-trip conversions work with the two scripts.  (Guilllem,
I put your name and my name as authors and gave them a GPL 2+
license.)

I think uscan will be able to invoke these scripts easily; it just
needs to come up with the output file name that it wants.  A
command-line script also will let people like me who *are* upstream
(and therefore do not use uscan to download the upstream version) to
make such conversions.

If either dpkg-dev or devscripts package maintainers will accept these
scripts, I will write man pages and forward them to the respective
package maintainers.  If you will accept them and want the names
changed, I can do that before sending them.  I am going on travel
after tomorrow, returning the middle of next week.  If I hear back and
don't get the man pages written before I leave, I will do so right
after I return.

With this being a long-term (as in forever) solution, I do think
".sig" would be a nicer extension to use if everybody only wants a
single extension (because ".sig" means "signature"), where a ".sig"
file would be allowed to contain the signature in the exact form of
upstream: binary or ASCII.  gpg doesn't care which format it is given;
it will figure out the right thing to do regardless.  But that would
involve a transition.  If everyone else wants ".asc" as the extension,
so be it.

At least by having one standard script in Debian for everyone who must
convert upstream binary signature files to ASCII, it will avoid all
those maintainers having to come up with individual solutions.

Thank you,


Paul Hardy
Reply to: