Control: tag -1 moreinfo On Sat, Feb 25, 2017 at 01:04:54PM +0000, Martin-Éric Racine wrote: > It appears that debian-watch-may-check-gpg-signature generates false > positives. > > On src:cups-pdf Lintian reports debian-watch-may-check-gpg-signature > yet upstream does not publish any GPG signature. However, upstream > does publish foo.tar.gz.md5 checksums.
lintian has no knowledge, nor has any way to know that a given upstream publish gpg signatures… > By the looks of it, debian-watch-may-check-gpg-signature checks for > the presence of foo.tar.gz.* and reports a positive regardless of > whether * indeed is a GPG signature or not. How do you infer that? I find the relevant code pretty clear: | $withgpgverification = 1 | if /^pgpsigurlmangle\s*=\s*/; | $withgpgverification = 1 | if /^pgpmode\s*=\s*(?!none\s*$)\S.*$/; |.... | tag 'debian-watch-may-check-gpg-signature' unless ($withgpgverification); the problem is that your watch file does not check for a gpg signature, exactly as the tag says. And as the tag description says: N: If upstream distributions provide such signatures, please use the N: pgpsigurlmangle options in this watch file's opts= to generate the URL N: of an upstream GPG signature. This signature is automatically N: downloaded and verified against a keyring stored in N: debian/upstream/signing-key.asc. (instead of pgpsigurlmangle you can use pgpmode=auto if uscan is clever enough for this case) does this solve your issue? -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
signature.asc
Description: PGP signature