debian/upstream/signing-key.asc in policy 4.1.0
Osamu Aoki
osamu at debian.org
Wed Aug 23 15:59:48 UTC 2017
Hi,
After all the discussion, Policy 4.1.0 goes as:
| 4.11. Optional upstream source location: debian/watch¶
|
| This is an optional, recommended configuration file for the uscan
| utility which defines how to automatically scan ftp or http sites for
| newly available updates of the package. This is also used by some Debian
| QA tools to help with quality control and maintenance of the
| distribution as a whole.
|
| If the upstream maintainer of the software provides OpenPGP signatures
| for new releases, including the information required for uscan to verify
| signatures for new upstream releases is also recommended. To do this,
| use the pgpsigurlmangle option in debian/watch to specify the location
| of the upstream signature, and include the key or keys used to sign
| upstream releases in the Debian source package as
| debian/upstream/signing-key.asc.
|
| For more information about uscan and these options, including how to
| generate the file containing upstream signing keys, see uscan.
Please note few things which I failed to share:
The current uscan supports both
debian/upstream/signing-key.asc
debian/upstream/signing-key.pgp
Now, if debian/upstream/signing-key.asc is used, uscan converts it to
<tmpdir>/signing-key.gpg by gpg for use with gpgv to check
signature. (I think the same goes with dpkg-source). It looks extra
CPU power waste but not a big deal. I do this conversion since no
documentation mention keyring can be ascii armored for gpgv.
The updated uscan will support debian/upstream/signing-key.asc only and
internally convert it <tmpdir>/signing-key.gpg. I will make uscan to
convert other formats to this policy compliant *.asc. Also make noise
to the maintainer to push them to policy 4.1.0
Regards,
Osamu
More information about the devscripts-devel
mailing list