Hi Xavier-- On Tue 2018-09-25 23:45:18 +0200, Xavier wrote: > I just implement a git-tag-signature-verify feature [1] to fix #827065: > just to add "pgpmode=gittag" in opts. > I think it fixes this issue too. If you agree, I'll merge it.
Thanks for this! I finally got around to testing out your changes, and i really like them. I'll be adopting this on all of my packages where upstream prefers signed git tags as a release mechanism. I've opened https://salsa.debian.org/debian/devscripts/merge_requests/82 to clean up the git tag verification a little bit more :) The one thing that's missing to close #871806 is the extraction of a git tag that can be shipped with (and verified against) debian source tarballs, though. We currently do ship .asc files that correspond to signatures over the tarball. Do you see a way that we could ship something that would let a verification happen from just what we ship in debian based on signatures extracted from the git tag? --dkg
signature.asc
Description: PGP signature
