A subset of the reports of debian-watch-does-not-check-gpg-signature for the archive. Unfortunately the full list is too long, so only 1024 instances are listed on this page. At most 3 tags are shown per package. If you need the full list of tags, please download the lintian.log.gz file and extract the data you need.
The extended description of this tag is:
This watch file does not specific a means to verify the upstream tarball using a cryptographic signature.
If upstream distributions provides such signatures, please use the pgpsigurlmangle options in this watch file's opts= to generate the URL of an upstream GPG signature. This signature is automatically downloaded and verified against a keyring stored in debian/upstream/signing-key.asc
Of course, not all upstreams provide such signatures but you could request them as a way of verifying that no third party has modified the code after its release (projects such as phpmyadmin, unrealircd, and proftpd have suffered from this kind of attack).
Refer to the uscan(1) manual page for details.
Severity: pedantic, Certainty: certain
Check: watch-file, Type: source
This tag is marked experimental, which means that the code that generates it is not as well-tested as the rest of Lintian and might still give surprising results. Feel free to ignore experimental tags that do not seem to make sense, though of course bug reports are always welcome.
Emitted (non-overridden): 25062, overridden: 391, total: 25453
The package names link to the relevant maintainer page and the corresponding report for the source package. The links go to the full maintainer report page, which includes info and experimental tags and overridden tags, rather than the default page that shows only errors and warnings.