[Pkg-gnupg-maint] Bug#711744: Bug#711744: [gnupg] Please check signature files when getting new orig.tar.gz
Thijs Kinkhorst
thijs at debian.org
Thu Dec 12 20:08:24 UTC 2013
On Sun, June 9, 2013 10:01, Schrober wrote:
> Source: gnupg
> Severity: wishlist
>
> uscan will receive support [1] for checking downloaded tarballs+signatures
> against a predefined set of keys. gnupg is an (or the most) important part
> of
> the verification procedures in debian. Therefore, I would like ask you
> directly instead of waiting that you noticed this feature.
>
> I've attached an example watch file and an upstream-signing-key.pgp
> (please
> throw this one away and recreate it because I have absolutely no idea what
> keys should be included. I've just imported the one from the gnupg
> homepage
> [2]).
Thanks, However, this doesn't work for me. If I put random data in the
.pgp file it will download the orig.tar.gz blindly. Is this expected? (I'm
using sid.)
Cheers,
Thijs
More information about the Pkg-gnupg-maint
mailing list