GPG signed release tarballs

GPG signed release tarballs

[Martin Steigerwald]

Hi Jens!

I wonder about a way to retrieve the source after checking upstream gpg 
signature. Do you provide those somewhere?

I don´t see any on: http://brick.kernel.dk/snaps/ where I usually go for 
getting new upstream release tarball.


N: Processing source package fio (version 2.10-1, arch source) ...
P: fio source: debian-watch-may-check-gpg-signature
N: 
N:    This watch file does not include a means to verify the upstream tarball
N:    using cryptographic signature.
N:    
N:    If upstream distributions provide such signatures, please use the
N:    pgpsigurlmangle options in this watch file's opts= to generate the URL
N:    of an upstream GPG signature. This signature is automatically downloaded
N:    and verified against a keyring stored in
N:    debian/upstream/signing-key.asc.
N:    
N:    Of course, not all upstreams provide such signatures, but you could
N:    request them as a way of verifying that no third party has modified the
N:    code against their wishes after the release. Projects such as
N:    phpmyadmin, unrealircd, and proftpd have suffered from this kind of
N:    attack.
N:    
N:    Refer to the uscan(1) manual page for details.
N:    
N:    Severity: pedantic, Certainty: certain
N:    
N:    Check: watch-file, Type: source

Re: GPG signed release tarballs

[Jens Axboe]

On 05/24/2016 03:52 AM, Martin Steigerwald wrote:
> Hi Jens!
>
> I wonder about a way to retrieve the source after checking upstream gpg
> signature. Do you provide those somewhere?
>
> I don�t see any on: http://brick.kernel.dk/snaps/ where I usually go for
> getting new upstream release tarball.

I've added GPG signatures using my public key.

-- 
Jens Axboe