[[signing-key]]
=== debian/upstream/signing-key.asc

Some packages are signed by the GPG key.

For example, https://www.gnu.org/software/hello/[GNU hello] can be downloaded via HTTP from https://ftp.gnu.org/gnu/hello/ .  There are sets of files:

* *hello-*'version'*.tar.gz* (upstream source)
* *hello-*'version'*.tar.gz.sig* (detached signature)

Let's pick the latest version set.

----
$ wget https://ftp.gnu.org/gnu/hello/hello-2.9.tar.gz
 ...
$ wget https://ftp.gnu.org/gnu/hello/hello-2.9.tar.gz.sig
 ...
$ gpg --verify hello-2.9.tar.gz.sig
gpg: Signature made Thu 10 Oct 2013 08:49:23 AM JST using DSA key ID 80EE4A00
gpg: Can't check signature: public key not found
----

If you know the public GPG key of the upstream from the mailing list, use it as the *debian/upstream/signing-key.asc* file.  Otherwise, use the hkp keyserver and check it via your https://en.wikipedia.org/wiki/Web_of_trust[web of trust].

----
$ gpg --keyserver hkp://keys.gnupg.net --recv-key 80EE4A00
gpg: requesting key 80EE4A00 from hkp server keys.gnupg.net
gpg: key 80EE4A00: public key "Reuben Thomas <rrt@sc3d.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1
$ gpg --verify hello-2.9.tar.gz.sig
gpg: Signature made Thu 10 Oct 2013 08:49:23 AM JST using DSA key ID 80EE4A00
gpg: Good signature from "Reuben Thomas <rrt@sc3d.org>"
  ...
Primary key fingerprint: 9297 8852 A62F A5E2 85B2  A174 6808 9F73 80EE 4A00
----

TIP:  If your network environment blocks access to the HPK port *11371*, use ``*hkp://keyserver.ubuntu.com:80*'' instead.

After confirming the key ID *80EE4A00* is trust worthy one, download its public key into the *debian/upstream/signing-key.asc* file.

----
$ gpg --armor --export 80EE4A00 >debian/upstream/signing-key.asc
----

Then set the corresponding *debian/watch* file as follows.

----
version=4
pgpsigurlmangle=s/$/.sig/  https://ftp.gnu.org/gnu/hello/ hello-(\d[\d.]*)\.tar\.(?:gz|bz2|xz)
----

Now the *uscan* command will check the authenticity of the package using the GPG signature.

[[dfsg]]
=== debian/watch and DFSG

Debian takes software freedom seriously and follows the https://www.debian.org/social_contract.html#guidelines[DFSG].

The non-https://www.debian.org/social_contract.html#guidelines[DFSG] components in the upstream source tarball can be easily removed when the *uscan* command is used to update the Debian package.

* List the files to be removed in the *Files-Excluded* stanza of the  *debian/copyright* file.
* List the URL to download the upstream tarball in the *debian/watch* file.
* Run the *uscan* command to download the new upstream tarball.
** Alternatively, use the ``*gbp import-orig --uscan --pristine-tar*'' command.
* The resulting tarball has the version number with an additional suffix *+dfsg*.

