* Lorenzo <plore...@disroot.org> [2024-10-16 11:19]: > Hello mentors, > upstream signed last release [1], and if I download the text and save > it as upstream.pgp.asc I can do > [...] > I did a little search and it looks that, in order to automatically > verify upstream tarball, a file like [2] (?) is needed: > is there a way I can extract that info from upstream public key or do I > have to ask upstream to provide that info (I don't see it anywhere)?
Hello Lorenzo, You can extract the key after checking it’s correct, you can find some help here: https://www.debian.org/doc/manuals/debmake-doc/ch06.en.html#signing-key Also, the exported key should be a minimal key, you may need to add "--export-options export-minimal" when exporting the key. I think there is a lintian check for this. Nicolas.
