$ gpg --verify mariadb-10.3_10.3.39.orig.tar.gz.asc
gpg: assuming signed data in 'mariadb-10.3_10.3.39.orig.tar.gz'
gpg: Signature made ma 8. toukokuuta 2023 21.20.29 CST
gpg: using RSA key 177F4010FE56CA3336300305F1656F24C74CD1D8
gpg: Good signature from "MariaDB Signing Key <email address hidden>" [full]
I imported upstream with uscan so all this validation was automatic anyway.
This is also what I get from a clean gbp-build using gbp 0.9.19 on Ubuntu 20.04.
I have double checked my local git and remote is synced.
I even downloaded the git repository from Salsa to a temporary directory and ran git-buildpackage to produce the source package both using the Focal and Debian Sid versions, and I am unable to reproduce the xdelta bug you saw with the umt builder.
From https:/ /mariadb. org/download/ ?t=mariadb& o=true& p=mariadb& r=10.3. 39&os=source you can see that for mariadb- 10.3.39. tar.gz the correct sha256sum is 18bd51c847565af 4da18748b052ab9 bcbb569ab6e6766 ca8da7dcca1f941 f876.
This matches what I have locally and what I used during packaging:
$ sha256sum mariadb- 10.3_10. 3.39.orig. tar.gz 4da18748b052ab9 bcbb569ab6e6766 ca8da7dcca1f941 f876 mariadb- 10.3_10. 3.39.orig. tar.gz
18bd51c847565af
$ gpg --verify mariadb- 10.3_10. 3.39.orig. tar.gz. asc 10.3_10. 3.39.orig. tar.gz' 336300305F1656F 24C74CD1D8
gpg: assuming signed data in 'mariadb-
gpg: Signature made ma 8. toukokuuta 2023 21.20.29 CST
gpg: using RSA key 177F4010FE56CA3
gpg: Good signature from "MariaDB Signing Key <email address hidden>" [full]
I imported upstream with uscan so all this validation was automatic anyway.
This is also what I get from a clean gbp-build using gbp 0.9.19 on Ubuntu 20.04.
I have double checked my local git and remote is synced.
I even downloaded the git repository from Salsa to a temporary directory and ran git-buildpackage to produce the source package both using the Focal and Debian Sid versions, and I am unable to reproduce the xdelta bug you saw with the umt builder.