Hi, >There is no problem to fetch the key. The problem is to use it. My present
>use case is this > > gpgv --homedir debian/upstream --keyring debian/upstream/signing-key.pgp \ > archive.sig archive > >You are requesting me to use 'debian/upstream/signing-key.asc', an armoured key >which gpgv is not able to handle to my knowledge. Observe that upstream's >source >archive must be repackaged to fulfill DFSG, so the above use of gpgv is located >in the target 'get-orig-source' for verification of the original archive >before proceeding to eliminate the texinfo source, which violates DFSG. gpg --verify rush-1.8.tar.xz.sig gpg: assuming signed data in `rush-1.8.tar.xz' gpg: Signature made sab 01 ott 2016 10:04:02 CEST using DSA key ID 55D0C732 gpg: Good signature from "Sergey Poznyakoff <g...@gnu.org>" gpg: aka "Sergey Poznyakoff <g...@gnu.org.ua>" gpg: aka "Sergey Poznyakoff (Gray) <g...@mirddin.farlep.net>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 325F 650C 4C2B 6AD5 8807 327A 3602 B07F 55D0 C732 why this can't work? you wget the key, and gpg --verify it. that upstream/ is something that should be handled by uscan, not by you. anyway, there should be a clean, and easy way to avoid that stuff entirely. I suggest you to try harder with the documentation I gave to you "opts=pgpsigurlmangle=s/$/.asc/" should do the trick also, you are just removing some files to the tarball? then, Files-Excluded copyright keyword can do it for you. https://wiki.debian.org/UscanEnhancements can this fit your needs? G.
