Re: Uploading to mentors.debian.net without a signed key

[Kumar Appaiah <a.kumar@alumni.iitm.ac.in>]

On Sat, Aug 10, 2013 at 04:38:28PM +0200, Ross Gammon wrote:
> I have tried signing the the changes file with debsign "debsign
> foopackage.changes", but I assume this is just like the signing that
> the standard dpkg-buildpackage does?

Personally, I use debsign -k <my-key-id> <changesfile> to ensure that
my package is signed. Following this, you can open the changes file
and the dsc file to see that they have been clearsigned. For instance,
an unsigned changes file looks like this:

==========
Format: 1.8
Date: Thu, 06 Jun 2013 08:07:48 -0400
Source: armadillo
Binary: libarmadillo-dev libarmadillo3
Architecture: source amd64
Version: 1:3.900.2+dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Debian Science Maintainers
<debian-science-maintainers@lists.alioth.debian.org>
Changed-By: Kumar Appaiah <akumar@debian.org>
Description:
 libarmadillo-dev - streamlined C++ linear algebra library - Headers
 libarmadillo3 - streamlined C++ linear algebra library
Changes:
 armadillo (1:3.900.2+dfsg-1) unstable; urgency=low
 . 
   * New upstream release
Checksums-Sha1:
[snip] …
==========

while a signed one looks like this:

==========
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 05 Aug 2013 07:30:51 -0400
Source: armadillo
Binary: libarmadillo-dev libarmadillo3
Architecture: source amd64
Version: 1:3.900.7+dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Debian Science Maintainers
<debian-science-maintainers@lists.alioth.debian.org>
Changed-By: Kumar Appaiah <akumar@debian.org>
Description: 
 libarmadillo-dev - streamlined C++ linear algebra library - Headers
 libarmadillo3 - streamlined C++ linear algebra library
Changes: 
 armadillo (1:3.900.7+dfsg-1) unstable; urgency=low
 .
   * New upstream release
Checksums-Sha1: 
[snip] …
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJR/5EqAAoJEHqPSei2NIC+8IQQAJjhENzH49LzkhbRJPqWsXoS
jz139BdDS86l0z9uPEbp4Y6kyXYT61FynO9Cq+PTeFFL0Im1bkJED1PlpRqqJRWw
RFyDTQLEmI6alfQDX45P4A24bQr0vDsYSBR6CgA47on0IstKhUaeXgiygvGryCgA
2N2yErFwjc9rh6OsVO8rr4WeHrq3wdocSb6mCXt7e7ewlgyCXNn5yC8p9O21/mhf
FS1U5VLH6yTkC/EFPrV8qGkzGBl3c3+f8mkf2H8DRiKzYcdU9THVvp4oOCtmPsdT
pD3Q3HA62VIIqma533gO8h18a+2b34z5RIb4q0NFEariHztPwLzHqO/FZnoDzaZG
Z8pSg6yqVDhHl/WSagWyQ9//7uWdZ1lPHtLn3qI5JEOrY2JYD6sppGgIGYsJSR4j
/Zvh9e18iHFPC+HWzk/XOWlOp+iIPYDCkr1fwN1VBN8WTBEv27b76aDHgFdsXVRX
HQ7eJYhOMhqEq7qu3IjJcraa4K7Y76gYdXCA3OT9Ppbw+JNzS3yIr2Ph07qtwS2m
vTPNZZT2bacx1kqXUROuSWsVi6rGdIvfGDuI5mQdDmp1UnbP2u1Mvh7NdVG8x8km
RNuqLXhjeTFR9TRElSDByo5sefaVYcecPYronYgt46KxLnTdio+Te+Y8EuqAXmSu
DLkXuKCe/6rQEuvtNDkS
=xeRH
-----END PGP SIGNATURE-----
==========

Not that the signature is embedded in.

> Is there a way to upload to mentors without needing to sign it with a
> key signed by a DM or DD? Or should I just wait until my local DD's
> get back from Debconf?

Just try the above. Ensure that they key used for signing is the key
known the the mentors site, and things should go well. You can verify
this by doing gpg --verify <changesfile> yourself, after running
debsign.

HTH.

Kumar
-- 
Checking host system type...
i586-unknown-linux
configure: error: sorry, this is the gnu os, not linux
		-- Topic on #Linux