[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

debian/upstream/signing-key.asc in policy 4.1.0


After all the discussion, Policy 4.1.0 goes as:

| 4.11. Optional upstream source location: debian/watch¶
| This is an optional, recommended configuration file for the uscan
| utility which defines how to automatically scan ftp or http sites for
| newly available updates of the package. This is also used by some Debian
| QA tools to help with quality control and maintenance of the
| distribution as a whole.
| If the upstream maintainer of the software provides OpenPGP signatures
| for new releases, including the information required for uscan to verify
| signatures for new upstream releases is also recommended. To do this,
| use the pgpsigurlmangle option in debian/watch to specify the location
| of the upstream signature, and include the key or keys used to sign
| upstream releases in the Debian source package as
| debian/upstream/signing-key.asc.
| For more information about uscan and these options, including how to
| generate the file containing upstream signing keys, see uscan.

Please note few things which I failed to share:

The current uscan supports both 

Now, if debian/upstream/signing-key.asc is used, uscan converts it to
<tmpdir>/signing-key.gpg by gpg for use with gpgv to check
signature.  (I think the same goes with dpkg-source).  It looks extra
CPU power waste but not a big deal. I do this conversion since no
documentation mention keyring can be ascii armored for gpgv.

The updated uscan will support debian/upstream/signing-key.asc only and
internally convert it <tmpdir>/signing-key.gpg.  I will make uscan to
convert other formats to this policy compliant *.asc.  Also make noise
to the maintainer to push them to policy 4.1.0



Reply to: