[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tag2upload should record git tag signer info in .dsc [and 1 more messages]


On Mon 22 Jul 2019 at 07:55PM +01, Ian Jackson wrote:

> That means the original "uploader" information (ie the identity of the
> person signing the git tag) is not any more present in the source
> package.  To rememdy that I propose the following new field:
>   Git-Tag-Info: FINGERPRINT Firstname Surname <email@address>
> The parsing rules are: the first word is the fingerprint entirely in
> hex.  The rest is from the tag's "tagger" line (and may not match).

AIUI a fingerprint fails to uniquely identify a PGP key unless you also
include the cryptographic algorithm that was used and the key size.  So
for example, my current key is uniquely identified by writing both 4096R
and 8DC2487E51ABDD90B5C4753F0F56D0553B6D411B.

Even though it's unlikely we'll get a clash of fingerprints within the
Debian keyring, it seems the algorithm and keysize ought to be included
alongside the fingerprint, if the above is right.

Sean Whitton

Attachment: signature.asc
Description: PGP signature

Reply to: