[ANNOUNCE] libevdev 1.2

Stephen Kitt skitt at debian.org
Mon May 5 16:15:06 PDT 2014 

On Tue, 6 May 2014 00:06:13 +0200, Stephen Kitt <skitt at debian.org> wrote:
> On Sun, 04 May 2014 11:43:18 +1000, Peter Hutterer
> <peter.hutterer at who-t.net> wrote:
> > On 3/05/2014 21:21 , Stephen Kitt wrote:
> > > On Wed, 30 Apr 2014 15:25:41 +1000, Peter Hutterer
> > > <peter.hutterer at who-t.net> wrote:
> > >> http://www.freedesktop.org/software/libevdev/libevdev-1.2.tar.xz
> > >> MD5:  220b17e015876cc045bddd891ab4fdc3  libevdev-1.2.tar.xz
> > >> SHA1: 787fc00c1ee023a179b46e57d6b5f7d84403c040  libevdev-1.2.tar.xz
> > >> SHA256:
> > >> 4195618067c01d915f67ad3034e89aaa597f5d548dbdd31fa12c569d4bf5a440
> > >> libevdev-1.2.tar.xz
> > >
> > > This, along with your signed announcement, means that the integrity of
> > > the archives can be checked properly manually; thanks!
> > >
> > > Would it also be possible to upload detached signatures to the archive,
> > > alongside the tarballs? That way the signatures could be checked
> > > automatically by the Debian infrastructure...
> > 
> > We're using the release script from xorg:
> > http://cgit.freedesktop.org/xorg/util/modular/tree/release.sh
> > 
> > Feel free to send me patches to add the format you need. Though I do 
> > wonder: the tarball isn't available over https so I'm not sure what 
> > adding a separate file with checksums would add, especially if it's on 
> > the same server.
> 
> OK, I'll look into it.
> 
> I wasn't thinking of adding a separate file with checksums, but of adding a
> detached gnupg signature, which is verifiable with out-of-band information,
> given that your key is well connected in the WoT. (And while I'm at it,
> signing the git tag.)

Something like the following...

gpg-sign the git tag and the generated tarballs, and upload the signatures
along with the tarballs.

Signed-off-by: Stephen Kitt <skitt at debian.org>

--- release.sh.orig	2014-05-06 01:04:22.652607233 +0200
+++ release.sh	2014-05-06 01:12:17.114860393 +0200
@@ -299,6 +299,10 @@
 	return 1
     fi
 
+    [ -n "$targz" ] && gpg -b $targz && siggz=${targz}.sig || true
+    [ -n "$tarbz2" ] && gpg -b $tarbz2 && sigbz2=${tarbz2}.sig || true
+    [ -n "$tarxz" ] && gpg -b $tarxz && sigxz=${tarxz}.sig || true
+
     # Obtain the top commit SHA which should be the version bump
     # It should not have been tagged yet (the script will do it later)
     local_top_commit_sha=`git  rev-list --max-count=1 HEAD`
@@ -354,7 +358,7 @@
     else
 	# Tag the top commit with the tar name
 	if [ x"$DRY_RUN" = x ]; then
-	    git tag -m $tar_name $tar_name
+	    git tag -s -m $tar_name $tar_name
 	    if [ $? -ne 0 ]; then
 		echo "Error:  unable to tag module with \"$tar_name\"."
 		cd $top_src
@@ -501,7 +505,7 @@
     # Upload to host using the 'scp' remote file copy program
     if [ x"$DRY_RUN" = x ]; then
 	echo "Info: uploading tarballs to web server:"
-	scp $targz $tarbz2 $tarxz $USER_NAME$hostname:$srv_path
+	scp $targz $tarbz2 $tarxz $siggz $sigbz2 $sigxz $USER_NAME$hostname:$srv_path
 	if [ $? -ne 0 ]; then
 	    echo "Error: the tarballs uploading failed."
 	    cd $top_src


Regards,

Stephen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/input-tools/attachments/20140506/e6f740e6/attachment.sig>

More information about the Input-tools mailing list