[Pkg-gnupg-maint] Bug#711744: Bug#711744: [gnupg] Please check signature files when getting new orig.tar.gz
Franz Schrober
franzschrober at yahoo.de
Thu Dec 12 20:35:29 UTC 2013
>
> Thanks, However, this doesn't work for me. If I put random data in the
> .pgp file it will download the orig.tar.gz blindly. Is this expected? (I'm
> using sid.)
What *.pgp? The watch file was configured to scan for *sig files. And yes, the debian/upstream-signing-key.pgp has to be a valid keyring (which the debian package maintainer provides) and is the one which is used to check against. I don't think the author intended that it can be invalid but it should still download it and tell you that it is an invalid packet and warn you about it.
I've Cc'ed the author of this feature to discuss it with you. But I just checked it with following scenario:
1. write a correct watchfile + debian/upstream-signing-key.pgp
2. test it (should download both signature and file)
3. change the debian/watch to a wrong ending
4. delete previous downloaded files
5. use uscan again
6. look weird around because the file still exists even when the signature could not be checked because of this 404. It also doesn't generate a failure returncode
More information about the Pkg-gnupg-maint
mailing list