[Pkg-crosswire-devel] First upload - signing

Roberto C. Sánchez roberto at debian.org
Fri Feb 23 13:00:45 GMT 2018

On Fri, Feb 23, 2018 at 12:23:34PM +0000, Teus Benschop wrote:
>    While trying to sign the commits and the tags, I have learned that it is
>    important to make gpg-agent remember the passphrase for the private key.
>    If gpg-agent is not able to provide the passphrase, then signing the tags
>    fails while running "gbp import-orig" for importing a new upstream
>    tarball.
>    After fixing the above, I fail to make "gbp import-orig" to sign its
>    commits. It does sign the tags, but not the commits.

Hi Teus,

It appears that 'gbp import-orig' can sign tags but cannot sign commits.
That is surprising to me, but given that it seems to be a limitation of
the tool, I think that it is OK. The way that tagging in Git works, it
would not be possible to retroactively change the history leading to a
tagged commit without also altering the tag. Based on that, signing the
tag when importing a new .orig.tar.gz is sufficient.

The configuration you have for signing individual commits looks correct
and should lead to every commit you make on master being signed, which
is what we want.



Roberto C. Sánchez

More information about the Pkg-crosswire-devel mailing list