.. task:: Debsign

Debsign task
------------

This is a :ref:`signing task <task-type-signing>` that signs a
:artifact:`debian:upload` artifact on a signing worker.  It is separate from
the :task:`Sign` task because signing uploads is a customized operation
involving signing multiple files and updating the ``.changes`` file.

The ``task_data`` for this task may contain the following keys:

* ``unsigned`` (:ref:`lookup-single`, required): the
  :artifact:`debian:upload` artifact whose contents should be signed
* ``key`` (string, required): the fingerprint of the
  :asset:`debusine:signing-key` asset to sign the upload with, which must
  have purpose ``openpgp``

The output will be provided as a :artifact:`debian:upload` artifact, with
``relates-to`` relations to the unsigned artifact.

The ``.changes`` file has additional audit-trail fields added:

* ``Debusine-User``: A URL for the user who created the signing task.
* ``Debusine-Work-Request``: A URL for the signing task work request.
* ``Debusine-Workflow``: A URL for the workflow that the signing task
  was part of. Not present if it was a stand-alone task.

Used by the :workflow:`package_upload` workflow.
