Launchpad itself

Email addresses wrt keys on PPA

Asked by David B on 2020-08-06

Can I please clarify the situation wrt email addresses and signing when working with PPAs ?

There seems four relevant email addresses -
The address associated with my Launchpad account
The address on my PGP key that I have added to my Launchpad account
The address that appears in debian/changelog in a src dep package
The address that appears in the Maintainer field of the debian/control file, build section.

Do all four need to be the same ? If not all four, which ones do need to match ?

The reason I ask is I would prefer to use an email address associated with my project rather than my personal email address. But my Launchpad account already has my personal email address, so, in my testing phase, I have stuck with that.

The project specific address is a valid address, it forwards to me and its already associated with a key I use for signing rpm files for example. Its RSA, 3072 bytes.

I don't want to create a new launchpad account in the project name (not even sure yet if its permitted) but if all are to match, I guess I have to consider it ?

Davo

Question information

Language:: English Edit question

Status:: Solved

For:: Launchpad itself Edit question

Assignee:: No assignee Edit question

Solved by:: Colin Watson

Solved:: 2020-08-08

Last query:: 2020-08-08

Last reply:: 2020-08-07

Link existing bug

Revision history for this message

Colin Watson (cjwatson) said on 2020-08-07:

The short answer is that it's simplest if all four match, but if they're all different then nothing very much goes wrong.

The address on your GPG key is mainly informational as far as Launchpad is concerned. It's used when people try to work out who a key belongs to, and if you expect to be able to exchange signed or encrypted email then it should match the email address you're using or people will probably get confused, but Launchpad doesn't require it to match an email address on your account.

When you sign a source package in preparation for upload, the debsign tool will look up a GPG key using the email address in debian/changelog, so it's easiest if that matches your key. However, it's also perfectly possible to override that by giving it the key ID (or, better, the full fingerprint) of a particular key instead, and many people do that to avoid problems if they have multiple unrevoked keys for whatever reason. See "man debsign" for details.

When you upload a source package, Launchpad checks what key signed it, looks for an account with that key attached to it, and treats the upload as coming from that user. The addresses in debian/changelog and debian/control don't have to match this, although they may be emailed about the upload if they're associated with a different Launchpad account. (For instance, this sometimes occurs in Ubuntu when a mentor reviews and signs somebody else's upload.)

The addresses in debian/changelog and debian/control will be rendered as links to the corresponding Launchpad accounts in Launchpad's web UI. If a corresponding account doesn't exist, then the upload processor will create a sort of placeholder account for them. You can claim that account and merge it into your own later, or you can just leave it alone.

In the case you describe, my recommendations would be:

* List a project-specific email address in Maintainer, if you like. This can be a role address for people to email with questions about the project. It doesn't have to be associated with a Launchpad account, other than the autocreated one.
* Normally, use your own address in debian/changelog. You, a real human, made the change.
* It doesn't matter very much what address is on the GPG key, but the key itself needs to be attached to a Launchpad account that has the necessary upload permissions. If you're building significant automation of some kind then you might want to have a dedicated Launchpad account for this so that the automation doesn't have access to things it shouldn't, but in most cases it should probably just be attached to your normal personal account.

The short answer is that it's simplest if all four match, but if they're all different then nothing very much goes wrong.

The address on your GPG key is mainly informational as far as Launchpad is concerned.  It's used when people try to work out who a key belongs to, and if you expect to be able to exchange signed or encrypted email then it should match the email address you're using or people will probably get confused, but Launchpad doesn't require it to match an email address on your account.

When you sign a source package in preparation for upload, the debsign tool will look up a GPG key using the email address in debian/changelog, so it's easiest if that matches your key.  However, it's also perfectly possible to override that by giving it the key ID (or, better, the full fingerprint) of a particular key instead, and many people do that to avoid problems if they have multiple unrevoked keys for whatever reason.  See "man debsign" for details.

When you upload a source package, Launchpad checks what key signed it, looks for an account with that key attached to it, and treats the upload as coming from that user.  The addresses in debian/changelog and debian/control don't have to match this, although they may be emailed about the upload if they're associated with a different Launchpad account.  (For instance, this sometimes occurs in Ubuntu when a mentor reviews and signs somebody else's upload.)

The addresses in debian/changelog and debian/control will be rendered as links to the corresponding Launchpad accounts in Launchpad's web UI.  If a corresponding account doesn't exist, then the upload processor will create a sort of placeholder account for them.  You can claim that account and merge it into your own later, or you can just leave it alone.

In the case you describe, my recommendations would be:

* List a project-specific email address in Maintainer, if you like.  This can be a role address for people to email with questions about the project.  It doesn't have to be associated with a Launchpad account, other than the autocreated one.
 * Normally, use your own address in debian/changelog.  You, a real human, made the change.
 * It doesn't matter very much what address is on the GPG key, but the key itself needs to be attached to a Launchpad account that has the necessary upload permissions.  If you're building significant automation of some kind then you might want to have a dedicated Launchpad account for this so that the automation doesn't have access to things it shouldn't, but in most cases it should probably just be attached to your normal personal account.

Revision history for this message

David B (d-bannon) said on 2020-08-08:

Thanks for the very detailed explanation Colin, very helpful !

I will follow your recommendation, will add my project specific key to launchpad, sign with that, put my personal email address in the changelog (I specify the key in devscripts confiig file) and list the project email address in Maintainer.

Thanks indeed !

Davo

To post a message you must log in.

Ask a question

Edit question

Launchpad itself

Email addresses wrt keys on PPA

Question information

Related bugs

Related FAQ:

Subscribers