On 2023-09-22 07:29, Boyuan Yang wrote: > > You claimed that you are trying to validate upstream signatures, yet your .dsc file as presented > on mentors.debian.net does not include tarball signature at all. Lintian is also complaining > orig-tarball-missing-upstream-signature inkscape-textext_1.9.0.orig.tar.xz. Do you want to try > to fix this problem, or let us upload the current version as-is first? > > Thanks, > Boyuan Yang Hello, Thanks for looking at this! Upstream does not release signed tarballs as far as I can tell. They sign git tags. I am using pgpmode=git for uscan. Is this the correct way to handle this? I have confirmed that uscan fails if I change upstream/signing-key.asc to another key : > gpgv: Signature made Wed Jul 26 03:24:55 2023 MDT > gpgv: using RSA key 32746E27876C1E5418BBBF7F7A9964831E98EED5 > gpgv: Can't check signature: No public key > uscan die: OpenPGP signature did not verify. at /usr/share/perl5/Devscripts/Uscan/Output.pm line 77. I assume that means it is actually verifying the signature. Should I add a lintian override to capture this situation? Best, Antonio Russo
Attachment:
OpenPGP_0xB01C53D5DED4A4EE.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature