On Fri Aug 22, 2025 at 9:31 PM CEST, Otto Kekäläinen wrote:
On the question if this gbp.conf option is really needed or if use of signatures can be implied by the key:- upstream-signaturesOne can already figure this out by checking the existence of debian/upstream/signing-key.asc. Why duplicate this here?I wonder if we really can make this assumption?
Well, that's the upstream key relevant for this package. According to <https://wiki.debian.org/debian/upstream#debian.2Fupstream.2Fsigning-key.asc>, it's used only by uscan. If it isn't used to verify upstream code signatures, it shouldn't be there.
If upstream signs tags with a specific OpenPGP key, and I'm verifying tags, I'll put that key there. Same with tarballs.
Typically, tarballs and tags are signed with the same OpenPGP key anyway. Sometimes, though, tags are signed with SSH keys, but we don't support that anyway.
But in any case, gbp's upstream-signatures option specifies whether to check signatures, it's a boolean. How would it help here?
One reasonable behaviour for tools which use d/upstream/signing-key.asc would be to enable signature checking by default if the file exists, fail if the signature does not verify, and warn if the signature is missing (or fail here too, maybe).
In any case, I think I'm not understanding your concerns, nor how a new d/upstream/metadata field would help :/
signature.asc
Description: PGP signature
