Bug#723692: libav: please check OpenPGP signatures on upstream tarballs

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Sep 18 21:36:52 UTC 2013


Package: libav
Version: 6:9.8-2
Severity: wishlist
Tags: patch

as of devscripts 2.13.3, uscan can verify the OpenPGP signature of the
upstream developer when scanning the package.

I believe the upstream packages for libav are signed by siretart, so
you can set this up for libav by storing his public key in
debian/upstream-signing-key.pgp:

 gpg --keyservers keys.gnupg.org --recv 0x93005DC27E876C37ED7BCA9A98083544945348A4
 gpg --export-options export-minimal --export 0x93005DC27E876C37ED7BCA9A98083544945348A4 > debian/upstream-signing-key.pgp
 git add debian/upstream-signing-key.pgp

and then applying the following patch:

diff --git a/debian/watch b/debian/watch
index 21e23bb..0e3dce5 100644
--- a/debian/watch
+++ b/debian/watch
@@ -1,3 +1,3 @@
 version=3
-opts="uversionmangle=s/_/~/i" \
+opts="uversionmangle=s/_/~/i,pgpsigurlmangle=s/$/.asc/" \
 http://libav.org/releases/libav-([\d\.]+)\.tar\.xz


This should make the uscan check slightly more cryptographically
plausible (though you'll want to change
debian-upstream-signing-key.pgp if/when siretart ever moves off his
1024-bit DSA key, hopefully sooner rather than later).

         --dkg

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.11-rc4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash



More information about the pkg-multimedia-maintainers mailing list