[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Upstream Tarball Signature Files



On Fri, Aug 18, 2017 at 07:48:24AM -0400, Daniel Kahn Gillmor wrote:
> I confess that i've been taking the boring/silly/cheating way out and if
> upstream ships a detached binary signature as foo-1.2.3.tar.gz.sig, i've
> just been manually renaming it to foo_1.2.3.orig.tar.gz.asc (without
> even converting its contents to ASCII-armored form) and the rest of the
> toolchain seems to just happily accept it -- it'd be even nicer if dpkg
> and/or uscan was to normalize the contents to match the file extension.

That's because TTBOMK there is *nothing* atm actually validating that
file, and AFAIK (please correct me if I'm wrong) dpkg-source just picks
up whatever file, no matter the contents.

> Lastly, it's conceivable that we might want to take an already-armored
> .asc, and "launder" the armor, to stabilize it (e.g. stripping
> non-cryptographically-relevant comments, other weird OpenPGP packets,
> etc, which could all be stuffed into the detached signature).

I'd love if something did this for me, pretty much like I'd love
something like that does a pretty output to debian/upstream/signing-key
like
https://sources.debian.net/src/inkscape/0.92.2-1/debian/upstream/signing-key.asc/
(that's
https://anonscm.debian.org/git/reproducible/misc.git/tree/dump-gpg-keys.sh)

IOW: Guillem: I second merging that sig→asc converter into dpkg-source!
:)

-- 
regards,
                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
more about me:  https://mapreri.org                             : :'  :
Launchpad user: https://launchpad.net/~mapreri                  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-

Attachment: signature.asc
Description: PGP signature


Reply to: