Bug#723692: libav: please check OpenPGP signatures on upstream tarballs
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Sep 18 21:36:52 UTC 2013
Package: libav
Version: 6:9.8-2
Severity: wishlist
Tags: patch
as of devscripts 2.13.3, uscan can verify the OpenPGP signature of the
upstream developer when scanning the package.
I believe the upstream packages for libav are signed by siretart, so
you can set this up for libav by storing his public key in
debian/upstream-signing-key.pgp:
gpg --keyservers keys.gnupg.org --recv 0x93005DC27E876C37ED7BCA9A98083544945348A4
gpg --export-options export-minimal --export 0x93005DC27E876C37ED7BCA9A98083544945348A4 > debian/upstream-signing-key.pgp
git add debian/upstream-signing-key.pgp
and then applying the following patch:
diff --git a/debian/watch b/debian/watch
index 21e23bb..0e3dce5 100644
--- a/debian/watch
+++ b/debian/watch
@@ -1,3 +1,3 @@
version=3
-opts="uversionmangle=s/_/~/i" \
+opts="uversionmangle=s/_/~/i,pgpsigurlmangle=s/$/.asc/" \
http://libav.org/releases/libav-([\d\.]+)\.tar\.xz
This should make the uscan check slightly more cryptographically
plausible (though you'll want to change
debian-upstream-signing-key.pgp if/when siretart ever moves off his
1024-bit DSA key, hopefully sooner rather than later).
--dkg
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.11-rc4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
More information about the pkg-multimedia-maintainers
mailing list