Automatically sign package files from debuild and upload with dput

I've created a source package for I library I'm working on. I use debuild to build it and then I can successfully upload it with dput.

Now I want to set it up so that I can do this automatically from Jenkins. The main issue I'm running into is signing the .dsc and .changes files. What I'm trying to do is sign the packages with gpg rather than having debuild do it. This way I can sign the files automatically with the gpg option --passphrase-fd 0.

So I use debuild with the options -uc and -us and then clearsign the files with gpg. But when I do this it creates a separate .dsc.asc and source.changes.asc. When I then try to upload with dput I get the error

Checking signature on .changes
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.

This would seem to suggest that I should list the .asc file as an argument to dput but I can't get this to work.


Solution 1:

I found the following solution with debsign and the -p option:

  • use debuild without the signature, as you mentioned
  • use then debsign with -p option setting the passphrase to use, like this

    debsign \
      -p'gpg --passphrase-file /home/myname/my_passphrase_file.txt --batch --no-use-agent'\
      -S -kMYKEYID package_source.change
    

Still having some other issues, but this part looks like working. Signing files with GPG directly does not work as the checksums computed during the debuild are changed.

I always prefer storing keys with passphrase anyway.

Solution 2:

The easy answer is: Launchpad daily builds, they do all of this for you, fairly securely.

If you want to be doing source upload from Jenkins, then I suggest creating a key just for this Jenkins job. Having a passphrase on it wouldn't improve the security very much, if the Jenkins job would have to know the passphrase, so one might as well just leave it unprotected.

If you really want to sign the .dsc and .changes files by hand, sign them with gpg --clearsign, and rename the .asc files over the originals.