Re: [Pkg-crosswire-devel] First upload - signing

2018-02-23 Thread Teus Benschop 
While trying to sign the commits and the tags, I have learned that it is
important to make gpg-agent remember the passphrase for the private key. If
gpg-agent is not able to provide the passphrase, then signing the tags
fails while running "gbp import-orig" for importing a new upstream tarball.

After fixing the above, I fail to make "gbp import-orig" to sign its
commits. It does sign the tags, but not the commits.

Here is the series of commands about signing the commits:


teus@sid:~/bibledit-gtk$ gbp import-orig --pristine-tar --sign-tags
../bibledit-*.tar.gz
What is the upstream version? [5.0.449]
gbp:info: Importing '../bibledit-5.0.449.tar.gz' to branch 'upstream'...
gbp:info: Source package is bibledit
gbp:info: Upstream version is 5.0.449
gbp:info: Replacing upstream source on 'master'
gbp:info: Successfully imported version 5.0.449 of
../bibledit-5.0.449.tar.gz


Signing the tags works okay:

teus@sid:~/bibledit-gtk$ git show upstream/5.0.449
tag upstream/5.0.449
Tagger: Teus Benschop 
Date:   Fri Feb 23 13:10:24 2018 +0100

Upstream version 5.0.449
-BEGIN PGP SIGNATURE-

iQIzBAABCgAdFiEEher+5c8s1QBza9jekwIrrQVjpR0FAlqQBLAACgkQkwIrrQVj
pR2mLg//R2/BmXwA4AQmEqCN844SjGdR9VEPTt6Wu/vzubMhfHtgk2Zf0DAU1xjA
3JX+RJJme66nUt+0jQODrmlHB5ED63W5TfKpt5J31jI7Dl1m2RPXOKo3mdyTHD2U
dPWlbXY7s//07rEMwYvkEZ/+vxOQT7NxqZvXvIZwzIkrp42bJDngHMXjS3RLo4uS


Signing the commits does not work:

teus@sid:~/bibledit-gtk$ git log --show-signature -2
commit 609c8a0da7030777bb5d36d15fe83ccb23bd8694 (HEAD -> master)
Merge: e795fa5 158dd38
Author: Teus Benschop 
Date:   Fri Feb 23 13:10:24 2018 +0100

Update upstream source from tag 'upstream/5.0.449'

Update to upstream version '5.0.449'
with Debian dir cfe557425889462d9d747127d21de1e0a06ac832

commit 158dd385a6abc58dadb8e37a983f4da2525fa2ae (tag: upstream/5.0.449,
upstream)
Author: Teus Benschop 
Date:   Fri Feb 23 13:06:35 2018 +0100

New upstream version 5.0.449


Yet, git has been configured to sign commits:

teus@sid:~/bibledit-gtk$ git config --global commit.gpgsign
true
teus@sid:~/bibledit-gtk$ git config commit.gpgsign
true
teus@sid:~/bibledit-gtk$


It is possible to amend the last commit and sign it:

git commit -S --amend

But I cannot amend the one-but-last commit, so that commit is left unsigned.

What would be the a correct way to fix this?
___
Pkg-crosswire-devel mailing list
Pkg-crosswire-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-crosswire-devel

Re: [Pkg-crosswire-devel] First upload - signing

2018-02-23 Thread Roberto C . Sánchez 
On Fri, Feb 23, 2018 at 12:23:34PM +, Teus Benschop wrote:
>While trying to sign the commits and the tags, I have learned that it is
>important to make gpg-agent remember the passphrase for the private key.
>If gpg-agent is not able to provide the passphrase, then signing the tags
>fails while running "gbp import-orig" for importing a new upstream
>tarball.
>After fixing the above, I fail to make "gbp import-orig" to sign its
>commits. It does sign the tags, but not the commits.

Hi Teus,

It appears that 'gbp import-orig' can sign tags but cannot sign commits.
That is surprising to me, but given that it seems to be a limitation of
the tool, I think that it is OK. The way that tagging in Git works, it
would not be possible to retroactively change the history leading to a
tagged commit without also altering the tag. Based on that, signing the
tag when importing a new .orig.tar.gz is sufficient.

The configuration you have for signing individual commits looks correct
and should lead to every commit you make on master being signed, which
is what we want.

Regards,

-Roberto

-- 
Roberto C. Sánchez

___
Pkg-crosswire-devel mailing list
Pkg-crosswire-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-crosswire-devel

Re: [Pkg-crosswire-devel] First upload - signing

2018-02-23 Thread Teus Benschop 
On Fri, 23 Feb 2018 at 14:01 Roberto C. Sánchez  wrote:

> [...] Based on that, signing the
> tag when importing a new .orig.tar.gz is sufficient.
>
>
> Thank you for the information.
This information opens the way forward to proceed with this.
I had tried a lot of things to make "gbp import-orig" to sign the commits
too, but none of that worked, and I was about to include a ".gitconfig"
with the original tarball, if that would help, but won't proceed this way
anymore.
___
Pkg-crosswire-devel mailing list
Pkg-crosswire-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-crosswire-devel