debian: Update debian/upstream/signing-key.asc

[rzr]

This change is needed for debian packaging effort of latest release 0.17.0

#263

Because this key update is critical in the trust's chain,
may I request upstream to double check and acknowledge this change.

This key was obtained from WoT using:

wget https://files.pythonhosted.org/packages/3a/7d/d1cadc8c68cdfe035412ca11a2fa3105a0a3fd18e4212053cf8f67bdd02a/tuf-0.17.0.tar.gz
wget https://files.pythonhosted.org/packages/3a/7d/d1cadc8c68cdfe035412ca11a2fa3105a0a3fd18e4212053cf8f67bdd02a/tuf-0.17.0.tar.gz.asc

gpg --verify  tuf-0.17.0.tar.gz.asc
gpg: assuming signed data in 'tuf-0.17.0.tar.gz'
gpg: Signature made Thu 25 Feb 2021 12:42:50 PM CET
gpg:                using RSA key 08F3409FCF71D87E30FBD3C21671F65CB74832A4
gpg: Can't check signature: No public key

gpg --recv-key 08F3409FCF71D87E30FBD3C21671F65CB74832A4 \
  --keyserver hkp://keys.gnupg.net
gpg --verify ../tuf-0.17.0.tar.gz.asc
gpg --fingerprint 08F3409FCF71D87E30FBD3C21671F65CB74832A4
# pub   rsa3072 2020-03-17 [SC] [expires: 2030-03-15]
#      08F3 409F CF71 D87E 30FB  D3C2 1671 F65C B748 32A4
# uid           [ unknown] Joshua Lock (GPG on YubiKey) <[email protected]>
# sub   rsa3072 2020-03-17 [E] [expires: 2030-03-15]
# sub   rsa3072 2020-03-17 [A] [expires: 2030-03-15]

gpg --armor --export 08F3409FCF71D87E30FBD3C21671F65CB74832A4 \
  > debian/upstream/signing-key.asc

Cc: Sebastien Awwad <[email protected] @awwad>
Cc: Lukas Puehringer <[email protected] @lukpueh>
Cc: Joshua Lock <[email protected] @joshuagl>
Relate-to: https://www.debian.org/doc/manuals/debmake-doc/ch05.en.html#signing-key
Origin: https://github.com/CrossStream/tuf/tree/debian/master
Forwarded: https://github.com/theupdateframework/tuf/pulls/rzr
Signed-off-by: Philippe Coval [email protected]

Please fill in the fields below to submit a pull request. The more information
that is provided, the better.

Fixes #

Description of the changes being introduced by the pull request:

Please verify and check that the pull request fulfills the following
requirements:

• The code follows the Code Style Guidelines
• Tests have been added for the bug fix or new feature
• Docs have been added for the bug fix or new feature

[rzr]

If you merge this change
please then rebase this branch on latest tag,
then for the record,
I'll mirror my packaging changes from upcoming debian's git

[lukpueh]

Thanks, @rzr!

FYI, I also checked that lintian wouldn't complain about public-upstream-key-not-minimal. Looks like --export-options export-minimal,export-clean don't change anything for this key.

LGTM!

[lukpueh]

Will rebase on top of 0.17.0 after merge.

[rzr]

Thx

Note that debian will use a different base from imported pypi package,
see related discussion at:

https://bugs.debian.org/934151

Feel free to acknowledge the co maintenance plan I proposed to Debian python team,
Due to the freeze period, I'll see how it can be uploaded to debian's experimental branch.

Say tuned at

#263

[joshuagl]

Because this key update is critical in the trust's chain,
may I request upstream to double check and acknowledge this change.

FYI we publish all of our maintainer PGP fingerprints in the MAINTAINERS file https://github.com/theupdateframework/tuf/blob/develop/docs/MAINTAINERS.txt

[rzr]

ok curently only 08F3409FCF71D87E30FBD3C21671F65CB74832A4 is used maybe i will sync/refresh/check this file to align to upcoming releases based on the MAINTAINERS file, I don't want to automate this too much until it lands in debian