Hi Yadd, thank you very much for your work on uscan. That new version 5 format looks really promising.
* Yadd <y...@debian.org> [2021-12-01 09:11]:
I have a feature request regarding signature verification. As luck would have it, I maintain three packages with upstream* Version 5: * Main (first) paragraph contains "Version: 5" and optional options that change default values for source-paragraph * URL and regex are separated * Some default values change. For example, `dversionmangle` default value will be "auto" (drop +dfsg, ~ds,...), uversionmangle=s/-/~/g, filenamemangle=s/.*?(\d[\d\.]*@ARCHIVE_EXT@)/@PACKAGE@-$1/... [...] Of course, comments are welcome!
signatures; one of them is me being my own upstream, and the other two do not use the "standard" approach with one GnuPG signature per source tarball: - cmake releases its sources in multiple archive formats and signs them indirectly (a text file with SHA256 hashes) [1]. - liblzf uses the BSD signify tool [2] and only GnuPG-signs the signify key. I don't know if any of these schemes are used elsewhere (more likely for the CMake approach, less likely for liblzf, I'd guess), but it would be nice if uscan offered some support for this; maybe a hook to run the signature verification by an external script with autopkgtest semantics (fail if output occurs on stderr the script returns with a non-zero exit code). Cheers Timo [1] https://cmake.org/install/#download-verification [2] http://dist.schmorp.de/signing-key.txt -- ⢀⣴⠾⠻⢶⣦⠀ ╭────────────────────────────────────────────────────╮ ⣾⠁⢠⠒⠀⣿⡁ │ Timo Röhling │ ⢿⡄⠘⠷⠚⠋⠀ │ 9B03 EBB9 8300 DF97 C2B1 23BF CC8C 6BDD 1403 F4CA │ ⠈⠳⣄⠀⠀⠀⠀ ╰────────────────────────────────────────────────────╯
signature.asc
Description: PGP signature