Re: checking upstream signed release

To: Lorenzo <plorenzo@disroot.org>
Cc: debian-mentors@lists.debian.org
Subject: Re: checking upstream signed release
From: Nicolas Schodet <nico@ni.fr.eu.org>
Date: Wed, 16 Oct 2024 11:35:31 +0200
Message-id: <[🔎] Zw-I4-cVXScbMe4P@ni.fr.eu.org>
Mail-followup-to: Lorenzo <plorenzo@disroot.org>, debian-mentors@lists.debian.org
In-reply-to: <[🔎] 20241016111941.02e211c8@lorenz.fritz.box>
References: <[🔎] 20241016111941.02e211c8@lorenz.fritz.box>

* Lorenzo <plorenzo@disroot.org> [2024-10-16 11:19]:
> Hello mentors,
> upstream signed last release [1], and if I download the text and save
> it as upstream.pgp.asc I can do
> [...]
> I did  a little search and it looks that, in order to automatically
> verify upstream tarball, a file like [2] (?) is needed:
> is there a way I can extract that info from upstream public key or do I
> have to ask upstream to provide that info (I don't see it anywhere)?

Hello Lorenzo,

You can extract the key after checking it’s correct, you can find some
help here:

https://www.debian.org/doc/manuals/debmake-doc/ch06.en.html#signing-key

Also, the exported key should be a minimal key, you may need to add
"--export-options export-minimal" when exporting the key. I think there
is a lintian check for this.

Nicolas.

Reply to:

Follow-Ups:
- Re: checking upstream signed release
  - From: Lorenzo <plorenzo@disroot.org>

References:
- checking upstream signed release
  - From: Lorenzo <plorenzo@disroot.org>

Prev by Date: Re: will FTBFS on s390x prevent release in stable?
Next by Date: Re: checking upstream signed release
Previous by thread: checking upstream signed release
Next by thread: Re: checking upstream signed release
Index(es):
- Date
- Thread