Package: maint-guide
Version: 1.2.31
Severity: normal
Tags: patch
Since devscripts 2.13.3 (see #610712), uscan has supported the ability
to automatically verify upstream's cryptographic signatures if the
signing key and URL to the signature is well-known.
The maint-guide should recommend that package maintainers regularly
verify these signatures for new versions, and mention the files used.
A proposed patch for maint-guide is attached.
Regards,
--dkg
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.11-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
maint-guide depends on no packages.
maint-guide recommends no packages.
Versions of packages maint-guide suggests:
ii debian-policy 3.9.5.0
pn developers-reference <none>
ii devscripts 2.13.8
pn dh-make <none>
pn doc-base <none>
ii dput-ng [dput] 1.7
ii dupload 2.7.0
ii fakeroot 1.18.4-2
ii lintian 2.5.20
pn pbuilder <none>
ii quilt 0.60-10
-- debconf-show failed
Index: maint-guide.en.dbk
===================================================================
--- maint-guide.en.dbk (revision 10346)
+++ maint-guide.en.dbk (working copy)
@@ -3902,7 +3902,47 @@
<literal>&sf-net;/<replaceable>project</replaceable>/<replaceable>tar-name</replaceable>-(.+)\.tar\.gz</literal>.
This solves issues related to periodically changing SourceForge URLs.
</para>
+<para>If upstream offers cryptographic signatures of their tarballs in
+a detached file with a similar name to the tarball, you can identify
+the tarball using the <literal>pgpsigurlmangle</literal> option.
+</para>
+<para>
+For example, enigmail source tarballs are signed with a detached
+signature named the same as the tarball, but with a
+<filename>.asc</filename> suffix. So enigmail's
+<filename>debian/watch</filename> file looks like:
+</para>
+<screen>
+version=3
+opts=pgpsigurlmangle=s/$/.asc/ http://enigmail.mozdev.org/download/source.php.html .*/enigmail-([\d\.]*).tar.gz
+</screen>
+<para>
+You'll also want to indicate which key(s) you expect upstream to use
+to sign their source code with in <xref
+linkend="upstreamsigningkey"/>.
+</para>
</section>
+<section id="upstreamsigningkey"><title><filename>upstream-signing-key.pgp</filename></title>
+<para>
+If the package's upstream developers use an OpenPGP key to sign their
+releases, you probably want to verify those signatures, and make sure
+they come from the right people. You can do this by exporting the
+signing key (or keys) used by upstream into
+<filename>debian/upstream-signing-key.pgp</filename>, as a standard
+OpenPGP keyring.
+</para>
+<para>
+For example, if you know that the upstream signs their releases with a
+key with fingerprint 0123456789ABCDEF0123456789ABCDEF01234567, you
+could do:
+</para>
+<screen>
+gpg --export 0123456789ABCDEF0123456789ABCDEF01234567 > debian/upstream-signing-key.pgp
+</screen>
+<para>
+This can be used by <command>uscan</command> as described in <xref linkend="watch"/>.
+</para>
+</section>
<section id="sourcef"><title><filename>source/format</filename></title>
<para>
In the <filename>debian/source/format</filename> file, there should be a single
