I'm packaging nix: https://nixos.org/releases/nix/latest
It releases 3 files: nix-2.3.1.tar.xz.asc - which signs the .sha256 nix-2.3.1.tar.xz.sha256 - which contains the hash of the tarball nix-2.3.1.tar.xz I included upstreams gpg key in debian/upstream/signing-key.asc and thus get this lintian warning: https://lintian.debian.org/tags/orig-tarball-missing-upstream-signature.html Is it correct that this scheme is not (yet) supported by our tools? Is there a good place (wiki.d.o?) to track the different signing schemes we find in the wild and discuss which to support? I understand that every new scheme probably needs changes at least to dpkg, pristine-tar and git-buildpackage. Other schemes I found while searching: - signature over uncompressed tarball: https://bugs.debian.org/882694 - signed git tags: https://bugs.debian.org/920763 - embedded in tar, never seen: https://www.gnu.org/software/swbis/sourcesign-1.2/gendocs/manual/sourcesign.html - and in this email, signed hash files