[Pkg-gnupg-maint] Bug#711744: [gnupg] Please check signature files when getting new orig.tar.gz
Schrober
franzschrober at yahoo.de
Sun Jun 9 09:01:54 UTC 2013
Source: gnupg
Severity: wishlist
uscan will receive support [1] for checking downloaded tarballs+signatures
against a predefined set of keys. gnupg is an (or the most) important part of
the verification procedures in debian. Therefore, I would like ask you
directly instead of waiting that you noticed this feature.
I've attached an example watch file and an upstream-signing-key.pgp (please
throw this one away and recreate it because I have absolutely no idea what
keys should be included. I've just imported the one from the gnupg homepage
[2]).
[1] http://anonscm.debian.org/gitweb/?p=collab-maint/devscripts.git;a=commit;h=e82313c718b7bc8b884a2617081c6638d88af37b
[2] http://www.gnupg.org/signature_key.en.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: upstream-signing-key.pgp
Type: application/pgp-encrypted
Size: 2136 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20130609/97ec83d9/attachment.bin>
-------------- next part --------------
version=3
opts="pgpsigurlmangle=s/$/.sig/" \
http://gnupg.org/download/ .*/gnupg-(1\..*)\.tar\.gz
More information about the Pkg-gnupg-maint
mailing list