ghost
commented
6 years ago If we start using versioned tarballs that are signed with PGP this is no longer needed.
Closed ghost closed 6 years ago
ghost
commented
6 years ago If we start using versioned tarballs that are signed with PGP this is no longer needed.
joostvb-gh
commented
6 years ago Indeed, publishing signed tarballs would fix this.
For Debian packages storing a keyring with the signer's public key in debian/upstream/signing-key.asc (by running something like: gpg --armor --export --export-options export-minimal 'fkooman' >signing-key.asc) and committing that in the git repo used for Debian packaging would solve it. Furthermore the pgpsigurlmangle option in debian/watch is needed; e.g.
opts="pgpsigurlmangle=s%$%.sig%"
or
opts="pgpsigurlmangle=s/$/.asc/"
.
At e.g. https://git.tuxed.net/fkooman/php-secookie/tag/?h=2.0.1 i see just
php-secookie-2.0.1.zip php-secookie-2.0.1.tar.gz php-secookie-2.0.1.tar.xz
Could you create https://git.tuxed.net/fkooman/php-secookie/snapshot/php-secookie-2.0.1.tar.xz.asc , and create similar ones for the other eduvpn software? Bye,
Joost
ghost
commented
6 years ago joostvb-gh
commented
6 years ago ok, php-secookie debian/watch is now fixed: it verifies. will work on other packages soonish.
joostvb-gh
commented
6 years ago debian packages for
php-json-signer php-oauth2-client php-oauth2-server php-openvpn-connection-manager php-saml-ds php-secookie php-yubitwee
are now fixed. now about to fix
vpn-admin-portal vpn-lib-common vpn-server-api vpn-server-node vpn-user-portal
.
joostvb-gh
commented
6 years ago This issue is no longer relevant; the underlying problem will get fixed cf issue nr 12.
now only a tag is used, but that's not really safe as tags can be changed. The RPM packages also use commits.