Question

1

Automatically sign package files from debuild and upload with dput

rated 0 times [ 1] [ 0] / answers: 1 / hits: 3014 / 2 Years ago, sun, september 25, 2022, 7:00:40

I've created a source package for I library I'm working on. I use debuild to build it and then I can successfully upload it with dput.

Now I want to set it up so that I can do this automatically from Jenkins. The main issue I'm running into is signing the .dsc and .changes files. What I'm trying to do is sign the packages with gpg rather than having debuild do it. This way I can sign the files automatically with the gpg option --passphrase-fd 0.

So I use debuild with the options -uc and -us and then clearsign the files with gpg. But when I do this it creates a separate .dsc.asc and source.changes.asc. When I then try to upload with dput I get the error

Checking signature on .changes

gpg: no valid OpenPGP data found.

gpg: the signature could not be verified.

Please remember that the signature file (.sig or .asc)

should be the first file given on the command line.

This would seem to suggest that I should list the .asc file as an argument to dput but I can't get this to work.

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

alliulet

Add To Favorites

Follow

Total Points: 46

Total Questions: 109

Total Answers: 97

Location: Svalbard and Jan Mayen

Member since Sat, Oct 10, 2020

4 Years ago

answered 2 Years ago iriousutur · Accepted Answer

The easy answer is: Launchpad daily builds, they do all of this for you, fairly securely.

If you want to be doing source upload from Jenkins, then I suggest creating a key just for this Jenkins job. Having a passphrase on it wouldn't improve the security very much, if the Jenkins job would have to know the passphrase, so one might as well just leave it unprotected.

If you really want to sign the .dsc and .changes files by hand, sign them with gpg --clearsign, and rename the .asc files over the originals.