+ my $multi = "../${package}_".(stripepoch $cversion)."_multi.changes";
+ if (stat "$multi") {
+ $changesfile = $multi;
+ } else {
+ $!==&ENOENT or die "$multi: $!";
+ my $pat = "${package}_".(stripepoch $cversion)."_*.changes";
+ my @cs = glob "../$pat";
+ fail "failed to find unique changes file".
+ " (looked for $pat in .., or $multi);".
+ " perhaps you need to use dgit -C"
+ unless @cs==1;
+ ($changesfile) = @cs;
+ }
+ }
+ my $changes = parsecontrol($changesfile,$changesfile);
+ foreach my $field (qw(Source Distribution Version)) {
+ $changes->{$field} eq $clogp->{$field} or
+ fail "changes field $field \`$changes->{$field}'".
+ " does not match changelog \`$clogp->{$field}'";
+ }
+ my $tag = debiantag($dversion);
+ runcmd @git, qw(check-ref-format), $tag;
+
+ # We make the git tag by hand because (a) that makes it easier
+ # to control the "tagger" (b) we can do remote signing
+ my $authline = clogp_authline $clogp;
+ my $tfn = sub { ".git/dgit/tag$_[0]"; };
+ open TO, '>', $tfn->('.tmp') or die $!;
+ print TO <<END or die $!;
+object $head
+type commit
+tag $tag
+tagger $authline
+
+$package release $dversion for $csuite [dgit]
+END
+ close TO or die $!;
+
+ my $tagobjfn = $tfn->('.tmp');
+ if ($sign) {
+ if (!defined $keyid) {
+ $keyid = access_cfg('keyid','RETURN-UNDEF');
+ }
+ unlink $tfn->('.tmp.asc') or $!==&ENOENT or die $!;
+ my @sign_cmd = (@gpg, qw(--detach-sign --armor));
+ push @sign_cmd, qw(-u),$keyid if defined $keyid;
+ push @sign_cmd, $tfn->('.tmp');
+ runcmd_ordryrun @sign_cmd;
+ if (!$dryrun) {
+ $tagobjfn = $tfn->('.signed.tmp');
+ runcmd shell_cmd "> $tagobjfn", qw(cat --),
+ $tfn->('.tmp'), $tfn->('.tmp.asc');
+ }
+ }
+ my $tag_obj_hash = runcmd @git, qw(hash-object -w -t tag), $tagobjfn;
+ runcmd_ordryrun @git, qw(verify-tag), $tag_obj_hash;
+ runcmd_ordryrun @git, qw(update-ref), "refs/tags/$tag", $tag_obj_hash;
+ runcmd_ordryrun @git, qw(tag -v --), $tag;
+