[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [pkg-wine-party] Upload for gnome-exe-thumbnailer 0.9.4-2

On 12.12.2016 01:12, James Lu wrote:
> Hi Jens,
>> Maybe have a look at the lintian hints:
>> I vcs-field-uses-insecure-uri
>>   vcs-git git://anonscm.debian.org/pkg-wine/gnome-exe-thumbnailer.git
>> P debian-watch-may-check-gpg-signature
>> At least the first is trivial to fix, I'd recommend to do that for this
>> upload.
> Done.

Great. Minor nitpick, the URL works, but looks strange. I'd suggest
instead of

>> The second is a bit harder to solve and needs upstream to sign future
>> releases. You may have a look at the wiki[1], and for automatic signing
>> at  what winetricks does (I'm not sure if it's completely implemented
>> there yet).
> Hmm, I'll have to chat with Scott and Jan about this, though I don't see
> any new release in the near future.
> Also, is there a process for having multiple upstream keys? Although I
> tagged the 0.9.4 release on GitHub, I'd prefer having their keys added
> as well as my own, so they can sign future releases too.
> https://wiki.debian.org/debian/watch#Cryptographic_signature_verification
> is the reference I'm using  (unless I'm misunderstanding the
> verification process).

Should work, I didn't test it though.

If the signature file is downloaded, the downloaded upstream tarball is
checked for its authenticity against the downloaded signature file using
the keyring debian/upstream/signing-key.pgp or the armored keyring
debian/upstream/signing-key.asc (see "KEYRING FILE EXAMPLES").
$ gpg --export --export-options export-minimal --armor \
               'CF21 8F0E 7EAB F584 B7E2  0402 C77E 2D68 7254 3FAF' \
If a group of developers sign the package, you need to list fingerprints
of all of them in the argument for gpg --export ... to make the keyring
to contain all OpenPGP keys of them.


Reply to: