On 03/24/2014 07:51 PM, Russ Allbery wrote: > I'm curious -- why do we have two different supported paths? At least in > my experience the ASCII-armored key is much easier to deal with, since you > don't have to configure dpkg to allow binary files in the debian > directory. I'm not sure that I see any drawback to just saying to always > use the *.asc form. we actually have three supported paths at the moment: debian/upstream-signing-key.pgp debian/upstream/signing-key.pgp debian/upstream/signing-key.asc the first was my first implementation of this mechanism. the binary form is easiest to use directly with gpgv, which was the only additional dependency. Later, James McCoy moved the file to debian/upstream/ (which i didn't know existed when i made the original implementation) and added code to support the *.asc version. the *.asc version can only be checked if gnupg is available, apparently (though it should be easy enough to just use perl's MIME::Base64 to convert if we wanted to drop the gnupg dependency and just leave it depending on gpgv) I'd be happy to see us settle on one single location, and if folks think that the .asc version is the better option, updating lintian to nag about the other ones until they go away seems doable before we freeze for jessie. I'll even file patches or do NMUs for packages that need them if a lintian tag appears. Thinking further, I wonder if we should also encourage packagers to store the detached signature itself in the packaging directly (e.g. maybe in debian/upstream/signature.asc), so that the upstream tarball can be re-verified against the signing key even if the upstream archive goes offline; maybe that's a separate issue. > Another comment based on my personal experience with this is that, if the > packager is generating this key by exporting a key from a keyring (for > example, for the packages for which I'm also upstream, I'm exporting my > own key), they should do so with --export-options export-minimal. It > makes the file *much* smaller, and I don't think there's any need to > include all of the key signatures. The mere presence of this key in the > (signed) Debian source package already indicates the trust relationship > that's relevant for this purpose, and the end user can always retrieve > additional key signatures from a public keyserver if they really want > them. Yes, i do the same thing, and I agree with your security analysis of the reasons for having (or not having) any OpenPGP certifications on the upstream signing key(s) beyond the self-sigs. That said, if a debian packager wants to include extra OpenPGP certifications of moderate length, i don't think we should forbid them from doing so (i can imagine a packager wanting to include their own certification if they have made one, for example). > I use: > > gpg --export --armor --export-options export-minimal <key> \ > > debian/upstream/signing-key.asc i think that's good advice, though i don't know whether it belongs in debian-policy or developers-reference. --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature