Bug#964971: lintian: please consider new check: expired keys in debian/upstream/signing-key.asc
Good morning Felix,
Felix Lechner wrote on Tue, Mar 23, 2021 at 14:16:26 -0700:
> Hi Daniel,
>
> On Mon, Jul 13, 2020 at 8:27 AM Daniel Shahaf <danielsh@apache.org> wrote:
> >
> > a debian/upstream/signing-key.asc file
> > which contains an expired snapshot of upstream's signing key
>
> Did uscan give you any trouble when trying to validate upstream's
> release signature?
In zsh-syntax-highlighting's packaging I don't use uscan(1). I just
git-merge(1) the new upstream tag, and use git-archive(1) to fake
a .orig tarball.
According to comments in zsh-syntax-highlighting's debian/README.source
and debian/source/lintian-overrides, uscan(1) was avoided because
upstream produces signed tags but not signed tarballs, and no way was
identified to have uscan(1) verify them. Thus, the automation that
calls git-archive(1) also handles verification manually.
In my specific case, I don't actually need the verification at all
because I happen to upstream's release manager and sign the tags myself
in that capacity, but the workflow doesn't depend on this.
Cheers,
Daniel
> Kind regards
> Felix Lechner
>
Reply to: