On 07/03/26 1:30 pm, Simon Josefsson wrote:
> Nilesh Patra <[email protected]> writes:
>
>> On 07/03/26 1:03 pm, Simon Josefsson wrote:
>>> Package: lintian
>>> Version: 2.122.0
>>>
>>> Hi!
>>>
>>> It seems orig-tarball-missing-upstream-signature is enabled at Warning
>>> severity level when debian/upstream/signing-key.asc exists but there is
>>> no *.asc PGP tarball signature, see lintian complaint below.
>>>
>>> However 'ding-libs' is using upstream git as the source, and upstream
>>> uses PGP signed tags, as explained by debian/watch:
>>>
>>> Version: 5
>>> Source: https://github.com/SSSD/ding-libs.git
>>> Matching-Pattern: refs/tags/@ANY_VERSION@
>>> Mode: git
>>> Pgpmode: gittag
>>>
>>> For that PGP git tag verification to work, a PGP key is needed, and I
>>> believe uscan and other tools uses debian/upstream/signing-key.asc for
>>> verifying PGP-signed git tags, and has done so for a long time now.
>>>
>>> Thus, I think orig-tarball-missing-upstream-signature should be modified
>>> to not trigger, at least not at warning level, when PGP-signed git tags
>>> are used.
>>>
>>> I did not see PGP-signed git tags discussed in #954743 and #872864 but
>>> could have missed it, so I think this is a somewhat different situation
>>
>> That is already the case, lintian checks for "Pgp-Mode: gittag" and does
>> not emit it for the same. Pgp-Mode is documented in d/watch manpage[1].
>>
>> Your package uses "Pgpmode: gittag" which is either wrong or not documented
>> in the manpage. Do you know if it's the latter case? If so, I will add this.
>
> D'uh! Thank you for spotting that. This is cut'n'paste code, so I'm
> pretty sure this was coming from some other package.
Yes. I see quite a few of them
https://codesearch.debian.net/search?q=path%3Adebian%2Fwatch+Pgpmode%3A&literal=1
> Uscan seems to be performing PGP verification here, snippet from
> complete output below:
>
> uscan info: => Package is up to date from:
> => https://github.com/SSSD/ding-libs.git refs/tags/0.7.0
> uscan info: => Forcing download as requested
> uscan info: Downloading and overwriting existing file: ding-libs-0.7.0.tar.xz
> uscan info: Successfully downloaded package: ding-libs-0.7.0.tar.xz
> gpgv: Signature made Mon Mar 2 11:50:45 2026 CET
> gpgv: using RSA key 930201AAB42DD1947210B7838D7326351A726211
> gpgv: Good signature from "Alexey Tikhonov <[email protected]>"
> uscan info: New orig.tar.* tarball version (oversionmangled): 0.7.0
>
> So presumably uscan supports 'Pgpmode:' too.
Can I ask you to open a bug against devscripts and ask them to either
a) document this
or
b) fix this if it is not expected?
Maybe you could just re-assign this bug for the context.
> I confirmed that changing debian/watch to 'Pgp-Mode: gittag' silenced
> lintian.
>
> I still get the warning with 'Pgp-mode: gittag'. Is the header supposed
> to be case sensitive?
Yes.
