Hi, > > Additionally, there should be a new config option > > `upstream-git-signatures`, which if set would make the warnings errors > > and refuse to import if tag was not signed, or the key didn't match. > > +1 > > I think upstream tag signature verification failures should be an error, > not a warning. That would be consistent with uscan, doesn't it also
Yes, that is what I tried to mean with what I wrote above :) Opportunistically check everything and warn if they things are missing, and when told via gbp.conf what to expect from upstream, then enforce it and abort imports if requirements not met. > fail on pgp key signature failures? Yes, most of the time, but if gbp.conf:upstream-signatures=on is used it can to enforce that no imports can happen without downloading the signature. We should encourage people to use a gbp.conf and not rely on if a maintainer happens to remember to pass a certain flag to gbp or uscan or not. > > In some cases the `debian/upstream/signing-key.asc` might be a release > > CI key, while the git tags might be signed by individual authors. Thus > > we might also need to support something like > > `debian/upstream/signing-keyring.asc` that has all valid upstream > > release tag authors. > > I believe signing-key.asc can contain multiple keys already. Probably, but I feel a little bit at unease of mixing "official" release signing keys with upstream author personal keys (what is typically used for signing tags).
