# Upstream provides PGP-signed git tags, rather than tarballs; and github
# doesn't seem to expose the tag itself (in the `git cat-file tag 0.6.0` sense)
# in a GETable URL.  Thus, the debian/upstream/signing-key.asc _is_ useful — it
# serves to pin the public keys expected to sign upstream tags — even though that
# verification is not currently automated.
zsh-syntax-highlighting source: debian-watch-could-verify-download
# Upstream provides PGP-signed git tags, rather than tarballs.
zsh-syntax-highlighting source: debian-watch-does-not-check-gpg-signature
# Upstream provides PGP-signed git tags, rather than tarballs.
zsh-syntax-highlighting source: orig-tarball-missing-upstream-signature