This is an automated email from the git hooks/post-receive script. osamu pushed a commit to branch master in repository devscripts.
commit 91ce22128143634fa46423e735ecf5bd35c0bb55 Author: Osamu Aoki <[email protected]> Date: Fri Sep 29 22:45:29 2017 +0900 uscan: Correct information on the OpenPGP fingerprint etc. Closes: #877104 Signed-off-by: Osamu Aoki <[email protected]> --- debian/changelog | 2 ++ scripts/uscan.pl | 31 +++++++++++++++++++++---------- 2 files changed, 23 insertions(+), 10 deletions(-) diff --git a/debian/changelog b/debian/changelog index 31c02d9..a67f435 100644 --- a/debian/changelog +++ b/debian/changelog @@ -11,6 +11,8 @@ devscripts (2.17.11) UNRELEASED; urgency=medium bump dpkg-bev version to 1.18.19. Closes: #876024 * Removed Martin Zobel-Helas, Patrick Schoenfeld, and Benjamin Drung from Uploaders after asking them. + * Auto set --force-download when appropriate to prevent regression. + * Correct information on the OpenPGP fingerprint etc. Closes: #877104 [ Chris Lamb ] * reproducible-check: Match name on remote server. diff --git a/scripts/uscan.pl b/scripts/uscan.pl index e1bff3f..97bb4d0 100755 --- a/scripts/uscan.pl +++ b/scripts/uscan.pl @@ -1167,16 +1167,27 @@ See mk-origtargz(1). =head1 KEYRING FILE EXAMPLES Let's assume that the upstream "B<< uscan test key (no secret) -<[email protected]> >>" signs its package and publishes its public key -fingerprint 'B<CF21 8F0E 7EAB F584 B7E2 0402 C77E 2D68 7254 3FAF>' which you -know is the trusted one. - -Please note that the short keyid B<72543FAF> is the last 4 Bytes, the long -keyid B<C77E2D6872543FAF> is the last 8 Bytes, and the finger print is the last -20 Bytes of the public key in hexadecimal form. Considering the existence of -the collision attack on the short keyid, the use of the long keyid is -recommended for receiving keys from the public key servers. You must verify -the downloaded OpenPGP key using its fingerprint. +<[email protected]> >>" signs its package with a secret OpenPGP key and publishes +the corresponding public OpenPGP key. This public OpenPGP key can be +identified in 3 ways using the hexadecimal form. + +=over + +=item * The fingerprint as the 20 byte data calculated from the public OpenPGP +key. E. g., 'B<CF21 8F0E 7EAB F584 B7E2 0402 C77E 2D68 7254 3FAF>' + +=item * The long keyid as the last 8 byte data of the fingerprint. E. g., +'B<C77E2D6872543FAF>' + +=item * The short keyid is the last 4 byte data of the fingerprint. E. g., +'B<72543FAF>' + +=back + +Considering the existence of the collision attack on the short keyid, the use +of the long keyid is recommended for receiving keys from the public key +servers. You must verify the downloaded OpenPGP key using its full fingerprint +value which you know is the trusted one. The armored keyring file F<debian/upstream/signing-key.asc> can be created by using the B<gpg> (or B<gpg2>) command as follows. -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/devscripts.git _______________________________________________ devscripts-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
