Bug#846399: RFS: rush/1.8+dfsg-1 -- New upstream's release.
Hi,
>There is no problem to fetch the key. The problem is to use it. My present
>use case is this
>
> gpgv --homedir debian/upstream --keyring debian/upstream/signing-key.pgp \
> archive.sig archive
>
>You are requesting me to use 'debian/upstream/signing-key.asc', an armoured key
>which gpgv is not able to handle to my knowledge. Observe that upstream's source
>archive must be repackaged to fulfill DFSG, so the above use of gpgv is located
>in the target 'get-orig-source' for verification of the original archive
>before proceeding to eliminate the texinfo source, which violates DFSG.
gpg --verify rush-1.8.tar.xz.sig
gpg: assuming signed data in `rush-1.8.tar.xz'
gpg: Signature made sab 01 ott 2016 10:04:02 CEST using DSA key ID 55D0C732
gpg: Good signature from "Sergey Poznyakoff <gray@gnu.org>"
gpg: aka "Sergey Poznyakoff <gray@gnu.org.ua>"
gpg: aka "Sergey Poznyakoff (Gray) <gray@mirddin.farlep.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 325F 650C 4C2B 6AD5 8807 327A 3602 B07F 55D0 C732
why this can't work?
you wget the key, and gpg --verify it.
that upstream/ is something that should be handled by uscan, not by you.
anyway, there should be a clean, and easy way to avoid that stuff entirely.
I suggest you to try harder with the documentation I gave to you
"opts=pgpsigurlmangle=s/$/.asc/" should do the trick
also, you are just removing some files to the tarball?
then, Files-Excluded copyright keyword can do it for you.
https://wiki.debian.org/UscanEnhancements
can this fit your needs?
G.
Reply to: