Good morning Felix, Felix Lechner wrote on Tue, Mar 23, 2021 at 14:16:26 -0700: > Hi Daniel, > > On Mon, Jul 13, 2020 at 8:27 AM Daniel Shahaf <danie...@apache.org> wrote: > > > > a debian/upstream/signing-key.asc file > > which contains an expired snapshot of upstream's signing key > > Did uscan give you any trouble when trying to validate upstream's > release signature?
In zsh-syntax-highlighting's packaging I don't use uscan(1). I just git-merge(1) the new upstream tag, and use git-archive(1) to fake a .orig tarball. According to comments in zsh-syntax-highlighting's debian/README.source and debian/source/lintian-overrides, uscan(1) was avoided because upstream produces signed tags but not signed tarballs, and no way was identified to have uscan(1) verify them. Thus, the automation that calls git-archive(1) also handles verification manually. In my specific case, I don't actually need the verification at all because I happen to upstream's release manager and sign the tags myself in that capacity, but the workflow doesn't depend on this. Cheers, Daniel > Kind regards > Felix Lechner >
