On Tue, 29 Sep 2015 at 11:21:29 +0200, Paul Wise wrote: > For the uscan OpenPGP support to work, upstream needs to release > tarballs (using make distcheck), upload detached OpenPGP signatures > and debian/watch needs to contain an pgpsigurlmangle= option. The > github releases feature can be used to store the tarballs and detached > OpenPGP signatures.
Yes I know, I do that on dropbear already :-) Also in my first mail to upstream I asked them to consider publishing detached signatures along with the tarballs (although I didn't know it was possible to do it with GitHub). In the meantime I added d/upstream/signing-key.asc so the world can check signatures on upstream's Git tags against the same key that I use. Signed Git tags is so much better than no signature at all ;-) -- Guilhem.
signature.asc
Description: PGP signature
