Nilesh Patra <[email protected]> writes: > On 07/03/26 1:03 pm, Simon Josefsson wrote: >> Package: lintian >> Version: 2.122.0 >> >> Hi! >> >> It seems orig-tarball-missing-upstream-signature is enabled at Warning >> severity level when debian/upstream/signing-key.asc exists but there is >> no *.asc PGP tarball signature, see lintian complaint below. >> >> However 'ding-libs' is using upstream git as the source, and upstream >> uses PGP signed tags, as explained by debian/watch: >> >> Version: 5 >> Source: https://github.com/SSSD/ding-libs.git >> Matching-Pattern: refs/tags/@ANY_VERSION@ >> Mode: git >> Pgpmode: gittag >> >> For that PGP git tag verification to work, a PGP key is needed, and I >> believe uscan and other tools uses debian/upstream/signing-key.asc for >> verifying PGP-signed git tags, and has done so for a long time now. >> >> Thus, I think orig-tarball-missing-upstream-signature should be modified >> to not trigger, at least not at warning level, when PGP-signed git tags >> are used. >> >> I did not see PGP-signed git tags discussed in #954743 and #872864 but >> could have missed it, so I think this is a somewhat different situation > > That is already the case, lintian checks for "Pgp-Mode: gittag" and does > not emit it for the same. Pgp-Mode is documented in d/watch manpage[1]. > > Your package uses "Pgpmode: gittag" which is either wrong or not documented > in the manpage. Do you know if it's the latter case? If so, I will add this.
D'uh! Thank you for spotting that. This is cut'n'paste code, so I'm
pretty sure this was coming from some other package.
Uscan seems to be performing PGP verification here, snippet from
complete output below:
uscan info: => Package is up to date from:
=> https://github.com/SSSD/ding-libs.git refs/tags/0.7.0
uscan info: => Forcing download as requested
uscan info: Downloading and overwriting existing file: ding-libs-0.7.0.tar.xz
uscan info: Successfully downloaded package: ding-libs-0.7.0.tar.xz
gpgv: Signature made Mon Mar 2 11:50:45 2026 CET
gpgv: using RSA key 930201AAB42DD1947210B7838D7326351A726211
gpgv: Good signature from "Alexey Tikhonov <[email protected]>"
uscan info: New orig.tar.* tarball version (oversionmangled): 0.7.0
So presumably uscan supports 'Pgpmode:' too.
I confirmed that changing debian/watch to 'Pgp-Mode: gittag' silenced
lintian.
I still get the warning with 'Pgp-mode: gittag'. Is the header supposed
to be case sensitive?
/Simon
jas@frallan:~/dpkg/ding-libs$ uscan -ddd -v
uscan info: Scan watch files in .
uscan info: Check debian/watch and debian/changelog in .
uscan info: package="ding-libs" version="0.7.0-1~exp2" (as seen in
debian/changelog)
uscan info: package="ding-libs" version="0.7.0" (no epoch/revision)
uscan info: ./debian/changelog sets package="ding-libs" version="0.7.0"
uscan info: Found upstream signing keyring: debian/upstream/signing-key.asc
uscan info: Process watch file at: debian/watch
package = ding-libs
version = 0.7.0
pkg_dir = .
uscan info: Parsing mode: git
uscan info: Parsing pgpmode: gittag
uscan info: Last orig.tar.* tarball version (from debian/changelog): 0.7.0
uscan info: Last orig.tar.* tarball version (dversionmangled): 0.7.0
uscan warn: Using up remote origin
uscan info: Execute: git show-ref
uscan info: Found the following matching refs:
refs/tags/0.7.0 (0.7.0)
refs/tags/0.6.2 (0.6.2)
refs/tags/0.6.1 (0.6.1)
refs/tags/0.6.0 (0.6.0)
refs/heads/master ()
refs/heads/upstream ()
refs/remotes/dgit/dgit/rc-buggy ()
refs/remotes/jas/master ()
refs/remotes/jas/upstream ()
refs/remotes/origin/HEAD ()
refs/remotes/origin/master ()
refs/remotes/origin/ubuntu ()
refs/remotes/origin/ubuntu-xenial ()
refs/remotes/origin/upstream ()
refs/remotes/up/HEAD ()
refs/remotes/up/ding_libs-0-1 ()
refs/remotes/up/master ()
refs/tags/archive/debian/0.6.2-4 ()
refs/tags/archive/debian/0.7.0-1_exp0 ()
refs/tags/archive/debian/0.7.0-1_exp1 ()
refs/tags/archive/debian/0.7.0-1_exp2 ()
refs/tags/collection-0_5_1 ()
refs/tags/debian/0.1.3-2 ()
refs/tags/debian/0.3.0.1-4 ()
refs/tags/debian/0.4.0-1 ()
refs/tags/debian/0.5.0-1 ()
refs/tags/debian/0.6.0-1 ()
refs/tags/debian/0.6.1-1 ()
refs/tags/debian/0.6.1-2 ()
refs/tags/debian/0.6.2-1 ()
refs/tags/debian/0.6.2-2 ()
refs/tags/debian/0.6.2-3 ()
refs/tags/debian/0.6.2-4 ()
refs/tags/debian/0.7.0-1_exp0 ()
refs/tags/debian/0.7.0-1_exp1 ()
refs/tags/debian/0.7.0-1_exp2 ()
refs/tags/dhash-0_4_1 ()
refs/tags/ding-libs-0.1.1 ()
refs/tags/ding-libs-0.1.2 ()
refs/tags/ding-libs-0.3.0.1-1 ()
refs/tags/ding_libs-0_1_0 ()
refs/tags/ding_libs-0_2_91 ()
refs/tags/ding_libs-0_3_0 ()
refs/tags/ding_libs-0_3_0_1 ()
refs/tags/ding_libs-0_4_0 ()
refs/tags/ini_config-0_6_1 ()
refs/tags/path_utils-0_2_1 ()
refs/tags/ref_array-0_1_1 ()
refs/tags/split ()
refs/tags/upstream/0.6.2 ()
refs/tags/upstream/0.7.0 ()
uscan info: Looking at $base = https://github.com/SSSD/ding-libs.git with
$filepattern = refs/tags/(?:[-_]?[Vv]?(\d[\-+\.:\~\da-zA-Z]*)) found
$newfile = refs/tags/0.7.0
$mangled_newversion = 0.7.0
$newversion = 0.7.0
$lastversion = 0.7.0
uscan info: Upstream URL(+tag) to download is identified as
https://github.com/SSSD/ding-libs.git refs/tags/0.7.0
uscan info: Filename (filenamemangled) for downloaded file:
ding-libs-0.7.0.tar.xz
uscan info: Newest version of ding-libs on remote site is 0.7.0, local version
is 0.7.0
uscan info: => Package is up to date from:
=> https://github.com/SSSD/ding-libs.git refs/tags/0.7.0
uscan info: => Forcing download as requested
uscan info: Downloading and overwriting existing file: ding-libs-0.7.0.tar.xz
uscan info: Successfully downloaded package: ding-libs-0.7.0.tar.xz
gpgv: Signature made Mon Mar 2 11:50:45 2026 CET
gpgv: using RSA key 930201AAB42DD1947210B7838D7326351A726211
gpgv: Good signature from "Alexey Tikhonov <[email protected]>"
uscan info: New orig.tar.* tarball version (oversionmangled): 0.7.0
uscan info: Launch mk-origtargz with options:
--package ding-libs --version 0.7.0 --compression default --directory ..
--copyright-file debian/copyright ../ding-libs-0.7.0.tar.xz
Leaving ../ding-libs_0.7.0.orig.tar.xz where it is.
uscan info: New orig.tar.* tarball version (after mk-origtargz): 0.7.0
uscan info: Scan finished
jas@frallan:~/dpkg/ding-libs$
signature.asc
Description: PGP signature
