On Mon, May 11, 2026 at 06:00:59PM +0200, Agustin Martin wrote: > El lun, 20 abr 2026 a las 0:55, Agustin Martin (<[email protected]>) > escribió: > > > > On Sat, Oct 18, 2025 at 11:26:15PM -0700, Otto Kekäläinen wrote: > > > What about having one template GitHub with no signature checking (the > > > one now, as it can't do either git tag signatures nor detached > > > singatures), and then one GitHubSignedTags and one > > > GitHubSignedReleases? > > > > Hi, > > > > I have been recently playing with signed stuff and the Github template, and > > seems that things are more diverse that I expected. So, It is unclear to me > > that a separate GitHubSignedTags template is going to be as useful as > > expected. > > > > In particular, I played with [#1120727 devscripts: watch 5 support for > > github libarchive] and, apart from a code reorganization to make things > > easier to me, required changes to Github template were not that drastic. > > However, that did not help with #1118381 or 1118383. > > Did not reach something general working for detached signatures in > both maria-db and libarchive, but wrote something that can help with > 'mode=git' and 'pgpmode=gittag'. I am attaching the current result of > my tests as a proof of concept.
Hi, I have opened a MR with this part, stripped of non directly related things (and fixed, as original file was buggy), https://salsa.debian.org/debian/devscripts/-/merge_requests/649 Regarding detached signatures, I have been looking at some packages, and seems that there are at least two layouts, one is what happens with libarchive, and other what happens with maria-db (may be with variants), but did not go into details, so may be more complex. As previously commented, I would suggest a new Github.pm local property, "Detached-Signature", where values for defined layouts trigger different behaviors. Currently I have only made it work for libarchive (and only for 'Release-Only: yes), which seems to be the more frequent case, from the api page there is a pointer to tarball and signed tarball in the same assets page and with full package-version.ext{.sigext}. Names for this case is welcome, I thought about "namedboth". Hope this helps, -- Agustin
