Hi, PGP signature check can be used if only we have such file available in the upstream archive.
> This is my current watchfile: > > --------------------------------------------------------- > version=4 > > opts="\ > uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha|b|a)[\-\.]?\d*)$/$1~$2/, > \ > dversionmangle=s/\+(debian|dfsg|ds|deb)\d*$//, \ > pgpmode=next" \ > https://launchpad.net/inkscape > (?:.*/)?inkscape[_\-\.]?(\d\S+)\.(?:tgz|txz|tar\.(?:bz2|gz|z2|xz)) debian > > opts="pgpmode=previous" https://launchpad.net/inkscape > (?:.*/)?inkscape[_\-\.]?(\d\S+)\.(?:tgz|txz|tar\.(?:bz2|gz|z2|xz)).(?:asc|pgp|gpg|sig) > previous uupdate > --------------------------------------------------------- https://launchpad.net/inkscape has no link to sigfile > but: > > % ~/devel/devscripts/devscripts/scripts/uscan.pl --verbose --report --debug > [...] ... > uscan.pl warning: Unable to set versionmode=prev for the line without > opts=pgpmode=prev > in debian/watch, skipping: I understand that this error message can be improved. > https://launchpad.net/inkscape > (?:.*/)?inkscape[_\-\.]?(\d\S+)\.(?:tgz|txz|tar\.(?:bz2|gz|z2|xz)).(?:asc|pgp|gpg|sig) > previous uupdate > -- Scan finished There is no link from https://launchpad.net/inkscape as I see web page. uscan can not find sig file. Of course human is smarter. Signature is only published on its version specific release note such as here https://inkscape.org/en/gallery/item/3860/ as https://inkscape.global.ssl.fastly.net/media/resources/sigs/inkscape-0.91.tar.bz2.sig The directory of signature file is not accessible so that is not usable... nor there is any computer usable page listing URL of signature. The best you can is to ask upstream to publish signature file URL at https://inkscape.org/en/download/source/ together with tar.gz URL. Or update launchpad page to publish signature URL...... !!! WAIT !!! !!! I FIND IT !!! Why didn't you use this page to make uscan watch file. https://launchpad.net/inkscape/+download This watch URL with the rest the same as your watch file and getting the public key from https://inkscape.org/en/download/ $ uscan pkg: Newer version (0.91) available on remote site: https://launchpad.net/inkscape/0.91.x/0.91/+download/inkscape-0.91.tar.gz (local version is 0.0) Successfully downloaded updated package inkscape-0.91.tar.gz Successfully symlinked ../inkscape-0.91.tar.gz to ../pkg_0.91.orig.tar.gz. pkg: Newer version (0.91) available on remote site: https://launchpad.net/inkscape/0.91.x/0.91/+download/inkscape-0.91.tar.gz.sig (local version is 0~0~0~0~0~0dummy) gpgv: Signature made Wed 28 Jan 2015 04:57:21 PM JST using DSA key ID E0E67611 gpgv: Good signature from "Bryce Harrington <bryce.harring...@ubuntu.com>" gpgv: aka "Bryce Harrington <br...@bryceharrington.org>" gpgv: aka "Bryce Harrington <br...@canonical.com>" gpgv: aka "Bryce Harrington <bryce.harring...@canonical.com>" gpgv: aka "Bryce Harrington <br...@ubuntu.com>" Successfully downloaded updated package inkscape-0.91.tar.gz.sig uupdate: debian/source/format is "3.0 (quilt)". uupdate: Auto-generating pkg_0.0-1.debian.tar.xz dpkg-source: info: extracting pkg in pkg-0.91 dpkg-source: info: unpacking pkg_0.91.orig.tar.gz dpkg-source: info: unpacking pkg_0.91-1.debian.tar.xz Remember: Your current directory is changed back to the old source tree! Do a "cd ../pkg-0.91" to see the new source tree and So it works. (Obviously, I am testing from a bogus test package.) Maybe adding how to marge two keys into one keyring may be good idea. Also enabling just to check signature with existing tarball is nice. Maybe after these, let me ask merging this branch into main. Osamu
