On Fri, Sep 15, 2017 at 11:44:02PM +0200, Thomas Schmitt wrote: > > > - How to bring the original tarball's .sig file into the packaging ? > > > Convert it to .asc > > I could try to squeeze something out of > https://lists.gnupg.org/pipermail/gnupg-users/2011-November/043252.html > or > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832267 The bug report contains a recipe, using gpg --enarmor > but will probably generate such an .asc file from original data as soon > as i found out how it relates to the .asc payload wrapper which i generate > by gpg --clearsign. The only difference between .sig and .asc is that .asc is ASCII-armored. > > and read dpkg-source(1). > > I try hard. But what does it mean when it says > "tarball can be accompanied by a detached upstream signature" > ? I think I've already answered that. You need to put it in the same directory. > > > Can it [my key] be too old for the new gpg binary ? > > > Have you read https://www.gnupg.org/faq/whats-new-in-2.1.html#nosecring > > Yes. But it does not explain how the dist-upgrade of last year left > gpg in the state which after another dist-upgrade makes it inoperational. Most likely because the old dist-upgrade doesn't have anything to do with that. And the recent dist-upgrade changed your /usr/bin/gpg to v.2. > Something must have confused apt-get (or a layer underneath). Of course not. apt doesn't touch user files. > > Check /usr/bin/gpg2 or whatever it was called in the old gnupg2 package? > There is one and it does not see keys. You asked where did you get a v.2 GnuPG. Here is the answer. I didn't expect it to see the keys. > > please fix your workflow ASAP. > > I am thankful for your advise. But your instructions are far too short. Use sbuild or pbuilder. > It is not easy to navigate between contradicting DD styles and tool chains. > And then there is https://www.debian.org/doc/manuals/maint-guide/ ... https://www.debian.org/doc/manuals/maint-guide/build.en.html#pbuilder > I don't strive for becoming a Debian Maintainer. That doesn't matter. You are making packages for Debian. You ned to do that correctly. > Isn't any tool in the box which can make a Debian package out of a vanilla > autotools based tarball ? ./configure && make && make install Yes, but the result is not suitable for inclusion in Debian. > GUIX can, Arch can, Fedora can. I guess it's the same here. -- WBR, wRAR
Attachment:
signature.asc
Description: PGP signature