path: root/scripts/debsign.1

.TH DEBSIGN 1 "Debian Utilities" "DEBIAN" \" -*- nroff -*-
.SH NAME
debsign \- sign a Debian .changes and .dsc file pair using GPG
.SH SYNOPSIS
\fBdebsign\fR [\fIoptions\fR] [\fIchanges-file\fR|\fIdsc-file\fR|\fIcommands-file\fR ...]
.SH DESCRIPTION
\fBdebsign\fR mimics the signing aspects (and bugs) of
\fBdpkg-buildpackage\fR(1).  It takes a \fI.dsc\fR, \fI.buildinfo\fR, or
\fI.changes\fR file and signs it, and any child \fI.dsc\fR,
\fI.buildinfo\fR, or \fI.changes\fR files directly or indirectly
referenced by it, using the GNU Privacy Guard. It is careful to
calculate the size and checksums of any newly signed child files and
replace the original values in the parent file.
.PP
If no file is specified, \fIdebian/changelog\fR is parsed to determine
the name of the \fI.changes\fR file to look for in the parent
directory.
.PP
If a \fI.commands\fR file is specified it is first validated (see the
details at \fIftp://ftp.upload.debian.org/pub/UploadQueue/README\fR),
and the name specified in the Uploader field is used for signing.
.PP
This utility is useful if a developer must build a package on one
machine where it is unsafe to sign it; they need then only transfer
the small \fI.dsc\fR, \fI.buildinfo\fR and \fI.changes\fR files to a
safe machine and then use the \fBdebsign\fR program to sign them before
transferring them back.  This process can be automated in two ways.
If the files to be signed live on the \fBremote\fR machine, the
\fB\-r\fR option may be used to copy them to the local machine and back
again after signing.  If the files live on the \fBlocal\fR machine, then
they may be transferred to the remote machine for signing using
\fBdebrsign\fR(1).  However note that it is probably safer to have your
trusted signing machine use \fBdebsign\fR to connect to the untrusted
non-signing machine, rather than using \fBdebrsign\fR to make the
connection in the reverse direction.
.PP
This program can take default settings from the \fBdevscripts\fR
configuration files, as described below.
.SH OPTIONS
.TP
.B \-r \fR[\fIusername\fB@\fR]\fIremotehost\fR
The files to be signed live on the specified remote host.  In this case,
a \fI.dsc\fR, \fI.buildinfo\fR or \fI.changes\fR file must be explicitly
named, with an absolute directory or one relative to the remote home
directory.  \fBscp\fR will be used for the copying.  The
\fR[\fIusername\fB@\fR]\fIremotehost\fB:\fIfilename\fR syntax is
permitted as an alternative.  Wildcards (\fB*\fR etc.) are allowed.
.TP
.B \-p\fIprogname\fR
When \fBdebsign\fR needs to execute GPG to sign it will run \fIprogname\fR
(searching the \fBPATH\fR if necessary), instead of \fBgpg\fR.
.TP
.B \-m\fImaintainer\fR
Specify the maintainer name to be used for signing.  (See
\fBdpkg-buildpackage\fR(1) for more information about the differences
between \fB\-m\fR, \fB\-e\fR and \fB\-k\fR when building packages;
\fBdebsign\fR makes no use of these distinctions except with respect
to the precedence of the various options.  These multiple options are
provided so that the program will behave as expected when called by
\fBdebuild\fR(1).)
.TP
.B \-e\fImaintainer\fR
Same as \fB\-m\fR but takes precedence over it.
.TP
.B \-k\fIkeyid\fR
Specify the key ID to be used for signing; overrides any \fB\-m\fR
and \fB\-e\fR options.
.TP
\fB\-S\fR
Look for a source-only \fI.changes\fR file instead of a binary-build
\fI.changes\fR file.
.TP
\fB\-a\fIdebian-architecture\fR, \fB\-t\fIGNU-system-type\fR
See \fBdpkg-architecture\fR(1) for a description of these options.
They affect the search for the \fI.changes\fR file.  They are provided
to mimic the behaviour of \fBdpkg-buildpackage\fR when determining the
name of the \fI.changes\fR file.
.TP
\fB\-\-multi\fR
Multiarch \fI.changes\fR mode: This signifies that \fBdebsign\fR should
use the most recent file with the name pattern
\fIpackage_version_*+*.changes\fR as the \fI.changes\fR file, allowing for the
\fI.changes\fR files produced by \fBdpkg-cross\fR.
.TP
\fB\-\-re\-sign\fR, \fB\-\-no\-re\-sign\fR
Recreate signature, respectively use the existing signature, if the
file has been signed already.  If neither option is given and an already
signed file is found the user is asked if he or she likes to use the
current signature.
.TP
\fB\-\-debs\-dir\fR \fIDIR\fR
Look for the files to be signed in directory \fIDIR\fR instead of the
parent of the source directory.  This should either be an absolute path
or relative to the top of the source directory.
.TP
\fB\-\-no-conf\fR, \fB\-\-noconf\fR
Do not read any configuration files.  This can only be used as the
first option given on the command-line.
.TP
.BR \-\-help ", " \-h
Display a help message and exit successfully.
.TP
.B \-\-version
Display version and copyright information and exit successfully.
.SH "CONFIGURATION VARIABLES"
The two configuration files \fI/etc/devscripts.conf\fR and
\fI~/.devscripts\fR are sourced in that order to set configuration
variables.  Command line options can be used to override configuration
file settings.  Environment variable settings are ignored for this
purpose.  The currently recognised variables are:
.TP
.B DEBSIGN_PROGRAM
Setting this is equivalent to giving a \fB\-p\fR option.
.TP
.B DEBSIGN_MAINT
This is the \fB\-m\fR option.
.TP
.B DEBSIGN_KEYID
And this is the \fB\-k\fR option.
.TP
.B DEBSIGN_ALWAYS_RESIGN
Always re-sign files even if they are already signed, without prompting.
.TP
.B DEBRELEASE_DEBS_DIR
This specifies the directory in which to look for the files to be
signed, and is either an absolute path or relative to the top of the
source tree.  This corresponds to the \fB\-\-debs\-dir\fR command line
option.  This directive could be used, for example, if you always use
\fBpbuilder\fR or \fBsvn-buildpackage\fR to build your packages.  Note
that it also affects \fBdebrelease\fR(1) in the same way, hence the
strange name of the option.
.SH "SEE ALSO"
.BR debrsign (1),
.BR debuild (1),
.BR dpkg-architecture (1),
.BR dpkg-buildpackage (1),
.BR gpg (1),
.BR gpg2 (1),
.BR md5sum (1),
.BR sha1sum (1),
.BR sha256sum (1),
.BR scp (1),
.BR devscripts.conf (5)
.SH AUTHOR
This program was written by Julian Gilbey <jdg@debian.org> and is
copyright under the GPL, version 2 or later.