Hi, I know I wrote code to check signature after decompression.
On Tue, Jan 23, 2018 at 10:46:55AM -0800, Vagrant Cascadian wrote: > On 2018-01-23, Osamu Aoki wrote: > > I am in a good mood to do my user support duty :-) So let me show. ... > > The obvious way is to read the manpage of uscan. ... many ways but > > something along > > I've read the uscan manpage quite a number of times, but even after > using uscan for well over a decade and reading the manpage many times > over the years, nothing really comes across as obvious. So there's a > difference between reading the fine manual and comprehending > it. Please note manpage had major rewrite for the recent upload. Old one certainly don't have such. Also signature checking are fairly new feature. > Fortunately, It's one of those things I get working once for a package > and infrequently need to update it, so that's good. Same here. I got sick of reading very difficult manpage. So I rewote it. > And yet... > > > version=4 > > opts="pgpmode=mangle, pgpsigurlmangle=s%tar\..z$%tar\.sign%" \ > > https://www.kernel.org/pub/software/utils/dtc/ \ > > @PACKAGE@@ANY_VERSION@@ARCHIVE_EXT@ \ > > debian uupdate > > Thanks for the suggestion... Of course, I don't remember everything I did to uscan. So if fails, RTFM I wrote when I remember how I implemented :-). > with debian/watch: > > version=4 > opts="pgpmode=mangle, pgpsigurlmangle=s%tar\..z$%tar\.sign%" \ > https://www.kernel.org/pub/software/utils/dtc/ \ > dtc-@ANY_VERSION@@ARCHIVE_EXT@ \ > debian uupdate > > Using @PACKAGE@ didn't work because of upstream is named differently > (device-tree-compiler vs. dtc). > > But even with that fixed/worked around: > > uscan: Newest version of device-tree-compiler on remote site is 1.4.6, > local version is 1.4.5 > uscan: => Newer package available from > https://www.kernel.org/pub/software/utils/dtc/dtc-1.4.6.tar.xz > gpgv: Signature made Tue Jan 2 22:12:20 2018 PST > gpgv: using RSA key > 75F46586AE61A66CC44E87DC6C38CACA20D9B392 > gpgv: BAD signature from "David Gibson <[email protected]>" > uscan die: OpenPGP signature did not verify. can see there is another option described in manpage: decompress Decompress compressed archive before the pgp/gpg signature verification. So correct answer is: version=4 opts="pgpmode=mangle, \ pgpsigurlmangle=s%tar\..z$%tar\.sign%, decompress" \ https://www.kernel.org/pub/software/utils/dtc/ \ dtc-@ANY_VERSION@@ARCHIVE_EXT@ \ debian uupdate Please also take care keyring by reading KEYRING FILE EXAMPLES. Regards, Osamu _______________________________________________ devscripts-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
