Otto Kekäläinen <o...@debian.org> writes: > I wish that gbp import-ref and gbp import-orig *if* > gbp.conf:upstrem-vcs-tag would automatically attempt to run `git > verify-tag` and emit a warning if the upstream signature does not have > a signature, encouraging Debian maintainers to ask upstream to start > using signed git tags. > > When the upstream tag does have a signature, gbp would emit a warning > if the tag wasn't signed with `debian/upstream/signing-key.asc`. > > Additionally, there should be a new config option > `upstream-git-signatures`, which if set would make the warnings errors > and refuse to import if tag was not signed, or the key didn't match.
+1 I think upstream tag signature verification failures should be an error, not a warning. That would be consistent with uscan, doesn't it also fail on pgp key signature failures? > In some cases the `debian/upstream/signing-key.asc` might be a release > CI key, while the git tags might be signed by individual authors. Thus > we might also need to support something like > `debian/upstream/signing-keyring.asc` that has all valid upstream > release tag authors. I believe signing-key.asc can contain multiple keys already. /Simon
signature.asc
Description: PGP signature
