list of upstream tarball signing schemes?

To: debian-devel@lists.debian.org
Subject: list of upstream tarball signing schemes?
From: Thomas Koch <thomas@koch.ro>
Date: Fri, 13 Dec 2019 10:55:34 +0100 (CET)
Message-id: <[🔎] 741687795.13865.1576230935028@office.mailbox.org>

I'm packaging nix: https://nixos.org/releases/nix/latest

It releases 3 files:

nix-2.3.1.tar.xz.asc - which signs the .sha256
nix-2.3.1.tar.xz.sha256 - which contains the hash of the tarball
nix-2.3.1.tar.xz

I included upstreams gpg key in debian/upstream/signing-key.asc and thus get this lintian warning:

https://lintian.debian.org/tags/orig-tarball-missing-upstream-signature.html

Is it correct that this scheme is not (yet) supported by our tools?

Is there a good place (wiki.d.o?) to track the different signing schemes we find in the wild and discuss which to support? I understand that every new scheme probably needs changes at least to dpkg, pristine-tar and git-buildpackage.

Other schemes I found while searching:

- signature over uncompressed tarball: https://bugs.debian.org/882694
- signed git tags: https://bugs.debian.org/920763
- embedded in tar, never seen: https://www.gnu.org/software/swbis/sourcesign-1.2/gendocs/manual/sourcesign.html
- and in this email, signed hash files

Reply to:

Follow-Ups:
- Re: list of upstream tarball signing schemes?
  - From: Bastian Blank <waldi@debian.org>
- Re: list of upstream tarball signing schemes?
  - From: Simon Richter <sjr@debian.org>

Prev by Date: Re: watch files and .gitattributes export-ignore
Next by Date: Bug#946670: ITP: tcl9.0 -- Tcl (the Tool Command Language) v9.0
Previous by thread: Work-needing packages report for Dec 13, 2019
Next by thread: Re: list of upstream tarball signing schemes?
Index(es):
- Date
- Thread