Look at debian-tag2upload-keyring in dscverify (!502) · Merge requests · Debian / devscripts

Ian Jackson requested to merge iwj/devscripts:t2u-key into main Apr 25, 2025

The tag2upload service will be signing dscs with a non-DD, non-DM key. This key is in the debian-tag2upload-keyring package which will migrate to testing shortly. Here, we add this package to Recommends and add the keyring file to the list in dscverify.

(Note that the keyring file is indeed called .pgp rather than .gpg, following current best practice.)

Other uses of debian-keyring.gpg in devscripts:

who-permits-upload: Used to map keyids to names. But, we care about humans here.
who-uploads: This is more complicated. It relies on tracker.d.o's Accepted reports which link to the .changes. The .changes for a t2u upload has different information in it. In practice this is going to be difficult to develop and test until we have a live t2u upload to look at, and also may involve changes to the way tracker.d.o presents things. So I've left this as-is for now.

CC @spwhitton

Look at debian-tag2upload-keyring in dscverify

Merge request reports