Hi, After all the discussion, Policy 4.1.0 goes as:
| 4.11. Optional upstream source location: debian/watch¶ | | This is an optional, recommended configuration file for the uscan | utility which defines how to automatically scan ftp or http sites for | newly available updates of the package. This is also used by some Debian | QA tools to help with quality control and maintenance of the | distribution as a whole. | | If the upstream maintainer of the software provides OpenPGP signatures | for new releases, including the information required for uscan to verify | signatures for new upstream releases is also recommended. To do this, | use the pgpsigurlmangle option in debian/watch to specify the location | of the upstream signature, and include the key or keys used to sign | upstream releases in the Debian source package as | debian/upstream/signing-key.asc. | | For more information about uscan and these options, including how to | generate the file containing upstream signing keys, see uscan. Please note few things which I failed to share: The current uscan supports both debian/upstream/signing-key.asc debian/upstream/signing-key.pgp Now, if debian/upstream/signing-key.asc is used, uscan converts it to <tmpdir>/signing-key.gpg by gpg for use with gpgv to check signature. (I think the same goes with dpkg-source). It looks extra CPU power waste but not a big deal. I do this conversion since no documentation mention keyring can be ascii armored for gpgv. The updated uscan will support debian/upstream/signing-key.asc only and internally convert it <tmpdir>/signing-key.gpg. I will make uscan to convert other formats to this policy compliant *.asc. Also make noise to the maintainer to push them to policy 4.1.0 Regards, Osamu