Re: [Pkg-crosswire-devel] First upload - signing
While trying to sign the commits and the tags, I have learned that it is important to make gpg-agent remember the passphrase for the private key. If gpg-agent is not able to provide the passphrase, then signing the tags fails while running "gbp import-orig" for importing a new upstream tarball. After fixing the above, I fail to make "gbp import-orig" to sign its commits. It does sign the tags, but not the commits. Here is the series of commands about signing the commits: teus@sid:~/bibledit-gtk$ gbp import-orig --pristine-tar --sign-tags ../bibledit-*.tar.gz What is the upstream version? [5.0.449] gbp:info: Importing '../bibledit-5.0.449.tar.gz' to branch 'upstream'... gbp:info: Source package is bibledit gbp:info: Upstream version is 5.0.449 gbp:info: Replacing upstream source on 'master' gbp:info: Successfully imported version 5.0.449 of ../bibledit-5.0.449.tar.gz Signing the tags works okay: teus@sid:~/bibledit-gtk$ git show upstream/5.0.449 tag upstream/5.0.449 Tagger: Teus BenschopDate: Fri Feb 23 13:10:24 2018 +0100 Upstream version 5.0.449 -BEGIN PGP SIGNATURE- iQIzBAABCgAdFiEEher+5c8s1QBza9jekwIrrQVjpR0FAlqQBLAACgkQkwIrrQVj pR2mLg//R2/BmXwA4AQmEqCN844SjGdR9VEPTt6Wu/vzubMhfHtgk2Zf0DAU1xjA 3JX+RJJme66nUt+0jQODrmlHB5ED63W5TfKpt5J31jI7Dl1m2RPXOKo3mdyTHD2U dPWlbXY7s//07rEMwYvkEZ/+vxOQT7NxqZvXvIZwzIkrp42bJDngHMXjS3RLo4uS Signing the commits does not work: teus@sid:~/bibledit-gtk$ git log --show-signature -2 commit 609c8a0da7030777bb5d36d15fe83ccb23bd8694 (HEAD -> master) Merge: e795fa5 158dd38 Author: Teus Benschop Date: Fri Feb 23 13:10:24 2018 +0100 Update upstream source from tag 'upstream/5.0.449' Update to upstream version '5.0.449' with Debian dir cfe557425889462d9d747127d21de1e0a06ac832 commit 158dd385a6abc58dadb8e37a983f4da2525fa2ae (tag: upstream/5.0.449, upstream) Author: Teus Benschop Date: Fri Feb 23 13:06:35 2018 +0100 New upstream version 5.0.449 Yet, git has been configured to sign commits: teus@sid:~/bibledit-gtk$ git config --global commit.gpgsign true teus@sid:~/bibledit-gtk$ git config commit.gpgsign true teus@sid:~/bibledit-gtk$ It is possible to amend the last commit and sign it: git commit -S --amend But I cannot amend the one-but-last commit, so that commit is left unsigned. What would be the a correct way to fix this? ___ Pkg-crosswire-devel mailing list Pkg-crosswire-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-crosswire-devel
Re: [Pkg-crosswire-devel] First upload - signing
On Fri, Feb 23, 2018 at 12:23:34PM +, Teus Benschop wrote: >While trying to sign the commits and the tags, I have learned that it is >important to make gpg-agent remember the passphrase for the private key. >If gpg-agent is not able to provide the passphrase, then signing the tags >fails while running "gbp import-orig" for importing a new upstream >tarball. >After fixing the above, I fail to make "gbp import-orig" to sign its >commits. It does sign the tags, but not the commits. Hi Teus, It appears that 'gbp import-orig' can sign tags but cannot sign commits. That is surprising to me, but given that it seems to be a limitation of the tool, I think that it is OK. The way that tagging in Git works, it would not be possible to retroactively change the history leading to a tagged commit without also altering the tag. Based on that, signing the tag when importing a new .orig.tar.gz is sufficient. The configuration you have for signing individual commits looks correct and should lead to every commit you make on master being signed, which is what we want. Regards, -Roberto -- Roberto C. Sánchez ___ Pkg-crosswire-devel mailing list Pkg-crosswire-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-crosswire-devel
Re: [Pkg-crosswire-devel] First upload - signing
On Fri, 23 Feb 2018 at 14:01 Roberto C. Sánchezwrote: > [...] Based on that, signing the > tag when importing a new .orig.tar.gz is sufficient. > > > Thank you for the information. This information opens the way forward to proceed with this. I had tried a lot of things to make "gbp import-orig" to sign the commits too, but none of that worked, and I was about to include a ".gitconfig" with the original tarball, if that would help, but won't proceed this way anymore. ___ Pkg-crosswire-devel mailing list Pkg-crosswire-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-crosswire-devel