A subset of the reports of debian-watch-does-not-check-gpg-signature for the archive. Unfortunately the full list is too long, so only 1024 instances are listed on this page. At most 3 tags are shown per package. If you need the full list of tags, please download the lintian.log.gz file and extract the data you need.
The extended description of this tag is:
This watch file does not include a means to verify the upstream tarball using cryptographic signature.
If upstream distributions provide such signatures, please use the pgpsigurlmangle options in this watch file's opts= to generate the URL of an upstream GPG signature. This signature is automatically downloaded and verified against a keyring stored in debian/upstream/signing-key.asc.
Of course, not all upstreams provide such signatures, but you could request them as a way of verifying that no third party has modified the code against their wishes after the release. Projects such as phpmyadmin, unrealircd, and proftpd have suffered from this kind of attack.
Refer to the uscan(1) manual page for details.
Severity: pedantic, Certainty: certain
Check: watch-file, Type: source
Evolution of the debian-watch-does-not-check-gpg-signature Lintian tag over the past 366 days:
Emitted (non-overridden): 22877, overridden: 317, total: 23194
The package names link to the relevant maintainer page and the corresponding report for the source package. The links go to the full maintainer report page, which includes info and experimental tags and overridden tags, rather than the default page that shows only errors and warnings.