Manuel Guerra and I am in the process of taking over the libsecp256k1 package. https://tracker.debian.org/pkg/libsecp256k1 Upstream signs their git tags, which can be used to verify the integrity of new releases. https://github.com/bitcoin-core/secp256k1?tab=readme-ov-file#obtaining-and-verifying I have never maintained a package where upstream did this. I would like to be able to automate the checking of these upstream tags the way “gbp import-orig --uscan” automates the checking of signed tarballs using debian/upstream/ signing-key.asc. I believe I remember reading that this functionality is now available in Debian. Can anyone point me to a package that is currently doing so? -- Soren Stoutner soren@debian.org
Attachment:
signature.asc
Description: This is a digitally signed message part.