2017-02-26 12:07 GMT+02:00 Mattia Rizzolo <mat...@debian.org>: > Control: tag -1 moreinfo > > On Sat, Feb 25, 2017 at 01:04:54PM +0000, Martin-Éric Racine wrote: >> It appears that debian-watch-may-check-gpg-signature generates false >> positives. >> >> On src:cups-pdf Lintian reports debian-watch-may-check-gpg-signature >> yet upstream does not publish any GPG signature. However, upstream >> does publish foo.tar.gz.md5 checksums. > > lintian has no knowledge, nor has any way to know that a given upstream > publish gpg signatures…
On what basis does it report the error then? > the problem is that your watch file does not check for a gpg signature, > exactly as the tag says. And as the tag description says: It does not check for it because upstream does not provide any. > N: If upstream distributions provide such signatures, please use the > N: pgpsigurlmangle options in this watch file's opts= to generate the URL > N: of an upstream GPG signature. This signature is automatically > N: downloaded and verified against a keyring stored in > N: debian/upstream/signing-key.asc. > > > (instead of pgpsigurlmangle you can use pgpmode=auto if uscan is clever > enough for this case) > > > does this solve your issue? No, it does not. Adding a pgpurlmangle option won't magically make upstream produce GPG signatures. Martin-Éric