How to handle upstream tarbell signature

Osamu Aoki osamu at debian.org
Sat Aug 19 12:11:42 UTC 2017


Hi,

I was trying to update uscan and realized few problems which are not
addressed by the discussion here.  There are many things to consider.


On Fri, Aug 18, 2017 at 02:43:58PM +0200, Mattia Rizzolo wrote:
> On Fri, Aug 18, 2017 at 07:48:24AM -0400, Daniel Kahn Gillmor wrote:
> > I confess that i've been taking the boring/silly/cheating way out and if
> > upstream ships a detached binary signature as foo-1.2.3.tar.gz.sig, i've
> > just been manually renaming it to foo_1.2.3.orig.tar.gz.asc (without
> > even converting its contents to ASCII-armored form) and the rest of the
> > toolchain seems to just happily accept it -- it'd be even nicer if dpkg
> > and/or uscan was to normalize the contents to match the file extension.
> 
> That's because TTBOMK there is *nothing* atm actually validating that
> file, and AFAIK (please correct me if I'm wrong) dpkg-source just picks
> up whatever file, no matter the contents.

If the watch file is properly configured, uscan verifies signature.
You should have upstream keyring stored in

   debian/upstream/signing-key.asc

> > Lastly, it's conceivable that we might want to take an already-armored
> > .asc, and "launder" the armor, to stabilize it (e.g. stripping
> > non-cryptographically-relevant comments, other weird OpenPGP packets,
> > etc, which could all be stuffed into the detached signature).
> 
> I'd love if something did this for me, pretty much like I'd love
> something like that does a pretty output to debian/upstream/signing-key
> like
> https://sources.debian.net/src/inkscape/0.92.2-1/debian/upstream/signing-key.asc/
> (that's
> https://anonscm.debian.org/git/reproducible/misc.git/tree/dump-gpg-keys.sh)
> 
> IOW: Guillem: I second merging that sig→asc converter into dpkg-source!
> :)

1. There are different ways of signature
   * files used
     * detached signature       gpg -sb   (easy)
     * non-detached signature   gpg -s    (No answer)
   * format used
     * binary (.gpg, ...)                 (easy but who convert)
     * ascii  (.asc)                      (easy)

2. What to do if upstream is repacked.
   * uscan can confirm but where to put the result in case it is
     repacked.
   * If we leave upstream keyring at debian/upstream/signing-key.asc, it
     has no value to the generated Debian packages.  (A new *.asc can be
     added by maintainer but that's its useless since we upload with
     signed *.dsc.  We need to look into debian/copyright to see if this
     is repacked or not.  But people may use different way to repack.
     So it is confusing to have keyring.  There should be clear way to
     identify if it is repackaged or not easily.) 

Does anyone have clear idea on "gpg -s" case for 1 and answer for 2?

These affects how I write uscan.

Osamu




More information about the devscripts-devel mailing list