On Fri, Feb 23, 2018 at 12:23:34PM +0000, Teus Benschop wrote:
>    While trying to sign the commits and the tags, I have learned that it is
>    important to make gpg-agent remember the passphrase for the private key.
>    If gpg-agent is not able to provide the passphrase, then signing the tags
>    fails while running "gbp import-orig" for importing a new upstream
>    tarball.
>    After fixing the above, I fail to make "gbp import-orig" to sign its
>    commits. It does sign the tags, but not the commits.

Hi Teus,

It appears that 'gbp import-orig' can sign tags but cannot sign commits.
That is surprising to me, but given that it seems to be a limitation of
the tool, I think that it is OK. The way that tagging in Git works, it
would not be possible to retroactively change the history leading to a
tagged commit without also altering the tag. Based on that, signing the
tag when importing a new .orig.tar.gz is sufficient.

The configuration you have for signing individual commits looks correct
and should lead to every commit you make on master being signed, which
is what we want.

Regards,

-Roberto

-- 
Roberto C. Sánchez

_______________________________________________
Pkg-crosswire-devel mailing list
Pkg-crosswire-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-crosswire-devel

Reply via email to