Add pgp signature for Debian packaging

[rverchere]

Hi,

when I package Glances for Debian, I have the following warning. Could you add pgp signature to your archive, making it authentic?

Thanks !

P: glances source: debian-watch-may-check-gpg-signature
N: 
N:    This watch file does not include a means to verify the upstream tarball
N:    using cryptographic signature.
N:    
N:    If upstream distributions provide such signatures, please use the
N:    pgpsigurlmangle options in this watch file's opts= to generate the URL
N:    of an upstream GPG signature. This signature is automatically downloaded
N:    and verified against a keyring stored in
N:    debian/upstream-signing-key.asc.
N:    
N:    Of course, not all upstreams provide such signatures, but you could
N:    request them as a way of verifying that no third party has modified the
N:    code against their wishes after the release. Projects such as
N:    phpmyadmin, unrealircd, and proftpd have suffered from this kind of
N:    attack.
N:    
N:    Refer to the uscan(1) manual page for details.
N:    
N:    Severity: pedantic, Certainty: certain
N:    
N:    Check: watch-file, Type: source
N: 
N: ----

[nicolargo]

Hi Remy,

do you have a procedure to follow in order to generate the key ?

Nicolas

[rverchere]

Hi,

you have an example here : https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732450

You need to create & publish you PGP key, then sign the tar.bz2 package with it. Then debian scripts will be able to verify your package.

[nicolargo]

Sign the tar.bz2 ????

[rverchere]

the tar.gz archive sorry. To create the debian package, I use the following "official" archive: https://github.com/nicolargo/glances/archive/v2.2.tar.gz

[nicolargo]

Ok, i will sign the next release with my PGP key:

PGP Fingerprint: 835F C447 3BCD 60E9 9200 2778 ABA4 D1AB 9731 6A3C PGP Public key: gpg --keyserver pgp.mit.edu --recv-keys 0xaba4d1ab97316a3c