Hello mentors, upstream signed last release [1], and if I download the text and save it as upstream.pgp.asc I can do
$ gpg --verify upstream.pgp.asc gpg: Signature made Fri 27 Sep 2024 03:04:43 AM CEST gpg: using RSA key DAC43860630556B6DBF0898FA5DAAEFCB14D13CC gpg: Good signature from "Gerrit Pape <p...@debian.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DAC4 3860 6305 56B6 DBF0 898F A5DA AEFC B14D 13CC I did a little search and it looks that, in order to automatically verify upstream tarball, a file like [2] (?) is needed: is there a way I can extract that info from upstream public key or do I have to ask upstream to provide that info (I don't see it anywhere)? Lorenzo [1] https://smarden.org/runit/install https://smarden.org/runit/sha256sum.asc [2] https://salsa.debian.org/utopia-team/dbus/-/blob/debian/unstable/debian/upstream/signing-key.asc?ref_type=heads
