Re: Example package that verifies signed upstream git tags
Hi Soren,
On Wed, Aug 13, 2025 at 07:25:37AM -0700, Soren Stoutner wrote:
> Manuel Guerra and I am in the process of taking over the libsecp256k1 package.
>
> https://tracker.debian.org/pkg/libsecp256k1
>
> Upstream signs their git tags, which can be used to verify the integrity of
> new releases.
>
> https://github.com/bitcoin-core/secp256k1?tab=readme-ov-file#obtaining-and-verifying
>
> I have never maintained a package where upstream did this. I would like to be
> able to automate the checking of these upstream tags the way “gbp import-orig
> --uscan” automates the checking of signed tarballs using debian/upstream/
> signing-key.asc. I believe I remember reading that this functionality is now
> available in Debian. Can anyone point me to a package that is currently doing
> so?
I just tried this on one of my packages, successfully with both
uscan
and
gbp import-orig --uscan
using this watch file:
version=4
opts="mode=git,pgpmode=gittag" \
https://gitlab.com/abower/sysv-rc-conf.git/ refs/tags/v([\d\.]+)
https://salsa.debian.org/debian/sysv-rc-conf/-/blob/debian/latest/debian/watch
I don't actually use either workflow though because one of the benefits
of signed tags as release artefact is that the import process simplifies
to 'git merge' instead of the tarball unpackaging which I still find
dodgily opaque.
However, I would be interested in understanding more about if/how Debian
can handled signed upstream tags elsewhere - there doesn't seem to be
any way of checking it after maintainer import.
I'd be interested to hear what else you discover in this process!
Andrew
Reply to: