Bug#727096: uscan: store signature for upstream tarball in debian/
Ansgar Burchardt
ansgar at debian.org
Tue Apr 12 16:24:52 UTC 2016
On Tue, 2016-04-12 at 21:52 +0800, Paul Wise wrote:
> On Tue, 2016-04-12 at 09:19 +0200, Ansgar Burchardt wrote:
> For a given upstream tarball the upstream signature should go in a
> > file
> > with the extension `.asc`. For example, for
> > dune-common_2.4.1.orig.tar.xz
> > the signature should be in
> > dune-common_2.4.1.orig.tar.xz.asc
> Is there any possibility to extend this to include the fingerprint,
> thus allowing for multiple signatures; for example one from upstream
> and one from the Debian maintainer?
Why include the fingerprint in the filename instead of just including
multiple signatures in the single .asc file? That is what we do for
InRelease and Release.gpg too.
I know there are some small downsides: gpg only supports using the same
hash for multiple signature or it will only validate the first
signature. But one can still split the file and call gpg multiple times
to validate each signature. It also doesn't allow adding more
signatures later, but I don't think that's very important here.
On the upside, the current implementation uses a predictable filename
and dpkg in stable already understands it (at least in so far as it
will not give an error when trying to extract a source package
including a *.asc file).
Ansgar
More information about the devscripts-devel
mailing list