Use local files in provide-signature

Currently the debian-pipeline upload process requires one to debusine provide-signature $WORK_REQUEST_ID which downloads a .changes file from debusine, signs it, and uploads it back to debusine.

It would be nice to sign the locally generated .changes file, without having to trust that debusine hasn't altered it. Currently, that can be achieved by uploading a signed .changes to debusine, which should short-circuit the signing part of provide-signature, but if the file was altered, it would just be re-signed. And the signed .changes file is now available (probably publicly) on debusine.debian.net, even though there may not be an intent to upload it.

So, how about (optionally) providing a path to the local .changes file to provide-signature. If specified, it can refuse to sign anything that doesn't match the local files.

The way to use debusine to safely pre-test uploads would then be:

dput the unsigned .changes file to debusine. We'd probably set allow_unsigned_uploads in our profile.
Wait for debusine to build and QA test the upload.
debusine provide-signature $WORK_REQUEST_ID foo_source.changes. This either signs the files or rejects them as not matching the local versions.

Other options:

Original discussion: #713 (comment 597986)
Pre-encryption: #612

Edited Apr 23, 2025 by Stefano Rivera

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information