On 07/03/26 1:03 pm, Simon Josefsson wrote:
> Package: lintian
> Version: 2.122.0
>
> Hi!
>
> It seems orig-tarball-missing-upstream-signature is enabled at Warning
> severity level when debian/upstream/signing-key.asc exists but there is
> no *.asc PGP tarball signature, see lintian complaint below.
>
> However 'ding-libs' is using upstream git as the source, and upstream
> uses PGP signed tags, as explained by debian/watch:
>
> Version: 5
> Source: https://github.com/SSSD/ding-libs.git
> Matching-Pattern: refs/tags/@ANY_VERSION@
> Mode: git
> Pgpmode: gittag
>
> For that PGP git tag verification to work, a PGP key is needed, and I
> believe uscan and other tools uses debian/upstream/signing-key.asc for
> verifying PGP-signed git tags, and has done so for a long time now.
>
> Thus, I think orig-tarball-missing-upstream-signature should be modified
> to not trigger, at least not at warning level, when PGP-signed git tags
> are used.
>
> I did not see PGP-signed git tags discussed in #954743 and #872864 but
> could have missed it, so I think this is a somewhat different situation
That is already the case, lintian checks for "Pgp-Mode: gittag" and does
not emit it for the same. Pgp-Mode is documented in d/watch manpage[1].
Your package uses "Pgpmode: gittag" which is either wrong or not documented
in the manpage. Do you know if it's the latter case? If so, I will add this.
[1] https://manpages.debian.org/experimental/devscripts/debian-watch.5.en.html
