On Fri, Aug 18, 2017 at 07:48:24AM -0400, Daniel Kahn Gillmor wrote: > I confess that i've been taking the boring/silly/cheating way out and if > upstream ships a detached binary signature as foo-1.2.3.tar.gz.sig, i've > just been manually renaming it to foo_1.2.3.orig.tar.gz.asc (without > even converting its contents to ASCII-armored form) and the rest of the > toolchain seems to just happily accept it -- it'd be even nicer if dpkg > and/or uscan was to normalize the contents to match the file extension. That's because TTBOMK there is *nothing* atm actually validating that file, and AFAIK (please correct me if I'm wrong) dpkg-source just picks up whatever file, no matter the contents. > Lastly, it's conceivable that we might want to take an already-armored > .asc, and "launder" the armor, to stabilize it (e.g. stripping > non-cryptographically-relevant comments, other weird OpenPGP packets, > etc, which could all be stuffed into the detached signature). I'd love if something did this for me, pretty much like I'd love something like that does a pretty output to debian/upstream/signing-key like https://sources.debian.net/src/inkscape/0.92.2-1/debian/upstream/signing-key.asc/ (that's https://anonscm.debian.org/git/reproducible/misc.git/tree/dump-gpg-keys.sh) IOW: Guillem: I second merging that sig→asc converter into dpkg-source! :) -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
Attachment:
signature.asc
Description: PGP signature