Package: src:apache2 Version: 2.4.6-3 Severity: normal Tags: patch uscan from devscripts 2.13.3 has the ability to check OpenPGP signatures on new upstream releases.
It looks like Jim Jagielski is signing apache2 releases (at least those from 2.2 onward, which are all that we care about) with his key with fingerprint A93D 62EC C3C8 EA12 DB22 0EC9 34EA 76E6 7914 85A8. So to get uscan to verify this automatically, you'd do: FINGERPRINT='A93D 62EC C3C8 EA12 DB22 0EC9 34EA 76E6 7914 85A8' gpg --keyserver keys.gnupg.org --recv "$FINGERPRINT" cd src/apache2 gpg --export "$FINGERPRINT" > debian/upstream-signing-key.pgp and then you'd modify add the pgpsigurlmangle option to debian/watch so it looks like this: ------------------ version=3 opts=pgpsigurlmangle=s/$/.asc/ http://www.apache.org/dist/httpd/httpd-(\d\.[02468]\.\d+)\.tar\.gz ------------------ Thanks for maintaining apache2 in debian! Regards, --dkg -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.11-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
