Re: [pkg-wine-party] Upload for gnome-exe-thumbnailer 0.9.4-2
On 12.12.2016 01:12, James Lu wrote:
> Hi Jens,
>> Maybe have a look at the lintian hints:
>> I vcs-field-uses-insecure-uri
>> vcs-git git://anonscm.debian.org/pkg-wine/gnome-exe-thumbnailer.git
>> P debian-watch-may-check-gpg-signature
>> At least the first is trivial to fix, I'd recommend to do that for this
Great. Minor nitpick, the URL works, but looks strange. I'd suggest
>> The second is a bit harder to solve and needs upstream to sign future
>> releases. You may have a look at the wiki, and for automatic signing
>> at what winetricks does (I'm not sure if it's completely implemented
>> there yet).
> Hmm, I'll have to chat with Scott and Jan about this, though I don't see
> any new release in the near future.
> Also, is there a process for having multiple upstream keys? Although I
> tagged the 0.9.4 release on GitHub, I'd prefer having their keys added
> as well as my own, so they can sign future releases too.
> is the reference I'm using (unless I'm misunderstanding the
> verification process).
Should work, I didn't test it though.
If the signature file is downloaded, the downloaded upstream tarball is
checked for its authenticity against the downloaded signature file using
the keyring debian/upstream/signing-key.pgp or the armored keyring
debian/upstream/signing-key.asc (see "KEYRING FILE EXAMPLES").
$ gpg --export --export-options export-minimal --armor \
'CF21 8F0E 7EAB F584 B7E2 0402 C77E 2D68 7254 3FAF' \
If a group of developers sign the package, you need to list fingerprints
of all of them in the argument for gpg --export ... to make the keyring
to contain all OpenPGP keys of them.