From 3606414834646823c1bf9d698258740848ba8bad Mon Sep 17 00:00:00 2001 From: DistroBaker Date: Thu, 18 Feb 2021 16:15:24 +0000 Subject: [PATCH] Merged update from upstream sources This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/cairomm.git#508e5566a0fc3f1de65ffb8785f1c3410dadac45 --- cairomm.spec | 57 ++++++++++++++++++++++++++++++++++++++-------------- gpg_key.pub | 41 +++++++++++++++++++++++++++++++++++++ sources | 1 - 3 files changed, 83 insertions(+), 16 deletions(-) create mode 100644 gpg_key.pub diff --git a/cairomm.spec b/cairomm.spec index 0c81f4e..dfa0b05 100644 --- a/cairomm.spec +++ b/cairomm.spec @@ -9,23 +9,25 @@ Name: cairomm Summary: C++ API for the cairo graphics library Version: 1.14.2 -Release: 6%{?dist} +Release: 7%{?dist} URL: https://www.cairographics.org License: LGPLv2+ %global src_base https://www.cairographics.org/releases Source0: %{src_base}/%{name}-%{version}.tar.xz -# We cannot verify GPG signatures at this time because there is no published -# keychain or keyserver to get the signing key. (Additionally, the signature is -# over a cryptographically-weak SHA1 checksum.) See -# https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25. -Source1: %{src_base}/%{name}-%{version}.tar.xz.sha1 -Source2: %{src_base}/%{name}-%{version}.tar.xz.sha1.asc -# Source3 reserved for future GPG keyring +# The complete set of authorized GPG signing keys is not published +# (https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/331), and +# the signature is over a cryptographically-weak SHA1 checksum file +# (https://gitlab.freedesktop.org/cairo/cairo/-/issues/458), as initially +# reported in https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25. +# However, we are able to verify the signature (of the weak SHA1 checksum) +# using the key for Kjell Ahlstedt from +# https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/290. +Source1: %{src_base}/cairomm-%{version}.tar.xz.sha1.asc +Source2: https://gitlab.freedesktop.org/freedesktop/freedesktop/uploads/0ac64e9582659f70a719d59fb02cd037/gpg_key.pub -# https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25 -# BuildRequires: gnupg2 +BuildRequires: gnupg2 BuildRequires: gcc-c++ BuildRequires: meson @@ -72,6 +74,8 @@ Provides: %{name}%{apiver}%{?_isa} = %{version}-%{release} %description This library provides a C++ interface to cairo. +The API/ABI version series is %{apiver}. + %package devel Summary: Development files for %{name} @@ -83,6 +87,8 @@ Provides: %{name}%{apiver}-devel%{?_isa} = %{version}-%{release} The %{name}-devel package contains libraries and header files for developing applications that use %{name}. +The API/ABI version series is %{apiver}. + %package doc Summary: Documentation for %{name} @@ -97,15 +103,32 @@ Documentation for %{name} can be viewed either through the devhelp documentation browser or through a web browser at %{_datadir}/doc/%{name}-%{apiver}/. +The API/ABI version series is %{apiver}. + %prep # https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25 -pushd "$(dirname %{SOURCE1})" -sha1sum -c "$(basename %{SOURCE1})" +# The .sha1.asc file in %%{SOURCE2} is a signed-but-not-encrypted copy of the +# corresponding .sha1 file; see the description of the --sign option in +# https://access.redhat.com/solutions/1541303. We “decrypt it” using the +# signer’s public key from %%{SOURCE3} to obtain a verified copy of the .sha1 +# file. To do so, we must first import the public key into a keyring; see +# /usr/lib/rpm/redhat/gpgverify, which is the implementation of the %%gpgverify +# macro, although we cannot use that macro due to the unconventional signing +# scheme. +workdir="$(mktemp --directory)" +workring="${workdir}/keyring.gpg" +gpg2 --homedir="${workdir}" --yes --no-default-keyring \ + --keyring "${workring}" --import '%{SOURCE2}' +gpg2 --homedir="${workdir}" --keyring "${workring}" --decrypt '%{SOURCE1}' \ + > "${workdir}/%{name}.sha1" +pushd "${workdir}" +ln -s '%{SOURCE0}' +sha1sum -c %{name}.sha1 popd -# %%{gpgverify} --keyring='%%{SOURCE3}' --signature='%%{SOURCE2}' \ -# --data='%%{SOURCE1}' -%setup -q +rm -rf "${workdir}" + +%autosetup # We must remove the jQuery/jQueryUI bundle with precompiled/minified/bundled # JavaScript that is in untracked/docs/reference/html/jquery.js, since such # sources are banned in Fedora. (Note also that the bundled JavaScript had a @@ -162,6 +185,10 @@ cp -rp examples %{buildroot}%{_datadir}/doc/%{name}-%{apiver}/ %changelog +* Thu Feb 18 2021 Benjamin A. Beasley - 1.14.2-7 +- Working (but weak, dependent on SHA1) source signature verification +- Added API/ABI version to descriptions + * Wed Feb 17 2021 Benjamin A. Beasley - 1.14.2-6 - Fix typo %%{_?isa} for %%{?_isa} in virtual Provides - Tidy up BR’s, including dropping make diff --git a/gpg_key.pub b/gpg_key.pub new file mode 100644 index 0000000..def31f7 --- /dev/null +++ b/gpg_key.pub @@ -0,0 +1,41 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGNBF9XkQUBDADmaPl0W4LoNnFwUy3aQQgQn2HyuoGO292p/UHdSjgQ+uiVOETU +sGlXUoqMHB2L0G/PM5fBGAdH26EWdkTNoRMVIH1vhcbA6xKCI4AEM06HtU8J7vTw +hKtW9qiYe0Gf5gF0lYFEeyoLaZUKZJmVgcFvs33kxPNkBX8+kSbCDG77cjY1X2M5 +jTR/JFv0IwxAdGBaONyp4pB66qQU8skXKlrNmmc6VvP2Q8D0P6EcDJ3FfUumuTMa +tcWf72jimHKsu3XR6nfH3ghbpxxLD54MSv0vtF/5jJRon1PkASkbo+aAf3w28pKQ +TZnCeD4RcL1f3ijo2VlxMqAcdUOL/c5aRLuzz+iQobl68zsOn2YSg9kpfgmfoOmZ +Uk1XB6R4aJkh6FihZmd+QIrmjIPD3fZPxfyx2SfdAq2o5CURbNfq/enG9DyBfg78 +jgTv6ybISpOmrWjR9i6nAJAkAI5upBgIuKn2VntQKuHzrjNRDSQeMMV+rdgnx2Fz +nkcIjs30U+kz9uMAEQEAAbQoS2plbGwgQWhsc3RlZHQgPGtqZWxsYWhsc3RlZHRA +Z21haWwuY29tPokB1AQTAQoAPhYhBGy0RagWUEcUqkliV566FV/MEtLABQJfV5EF +AhsDBQkDwmcABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEJ66FV/MEtLAa4MM +ALqkWxHC+hXB2yxH/X32nOGdJTZqEsW+gAuOyJ26mOy29ZecaBf83eEBR6BYN22Z +OwLta5bhC75OJt3rxqZZRC1QcFLxDH5n8UkXInu5U7kZkPIyEW8rmtgK4Y3EEetF +AcxT75/OsYL1ssTd/CCbNCe2KLarIwu/mNRN42yZq8nqWN94sfRwCGRltwtEjPiW +OepIBjk4QNaFa2iACCWKyeDX3l6XdWUza7InYYZep+9759Vv3iHOlwOJRQdXE7Gp +RrftCxls/aR/M4pWMHa8Mbev12Gz1+emChCcpyU14ce04mDsefcRiaCPD8kH5LII +fH7YMqFd0KOZZDLZFQRQhLb5zCPlLwgjiDsS7XUhfCCA7HQhWVPV26afbllIB03f +d9m0WCbnrPsKP3LazDVhXLkYRrDNrEzKV8Oy2hKw+BlpmOhgtVIPrHCdYMt+4kzi +f16CFUiim2yTjqa8tDcsiIMPccaqRjjhQJ/KxmQSvMLmZOgkYNaOgO9FQ/pJsnMX +b7kBjQRfV5EFAQwAu2/c0DO1x5gwcXoAlXzx5ONIpSzqOtTHubMaUTV0R6B8yVGs +o2rL5tbTdr5ClIOwc2gvYz/mLsOyikb7fy+EBW7/CrtlPZTFrt5pA19it7I0MK7K +mMu6bDgK14E9LBfJIsNnDEvmPhdMloCMeIxcSldpVu/VG3CbWqVVrCy/PTI22FYx +lM+CIDOgQgG7NeIebvBKAeaWk1lGW0qf/i/mWMTuv+/37okUzjWBXboKhpJ0WzY4 +O2fxgTV1EwQ44jMDiKFbq+hUFRln+hdTCrez4F4xvly2AyNYLciiksCz0LqcMZ2o +x1MHm3P/lWJvPK7r1tQQI+THq/XbWcVRKJPCOiFcEUs1rHxsTprmHVOuAPhWP3kp ++ZhLIqdpvw2B//hiJmJgLIiXHkfRUwmHaIAZrmWTqEjhJc0cZP+F4+0UNabr7Lmd +pl7vBGh+TCwu9EN/SmCvRAc9JdlLOHwpaDxXrjUQ5S9PbwMiw00HwvDjqt7Wsvks +1XVAiiBTddhafZCJABEBAAGJAbwEGAEKACYWIQRstEWoFlBHFKpJYleeuhVfzBLS +wAUCX1eRBQIbDAUJA8JnAAAKCRCeuhVfzBLSwE7aDADlFFoqJFNqxF2jC+jHzTcS +vjpZVk9GTcyRqulVzpH18gLZnN+1abgVOGA0abfE9qV+mRnMmyfrhfB8kGc+VodS +ByRuAktW8n+AlgGN26hk4nEChcf09BHhRZkDbdSEhhZNeqYfTGZIivxx97KgzrC6 +9b9MrSMogzeOMbzLYojiJxsAhFvTgrPeJObRwf71dLFmBvjL7fheTVsaDq/v6EWz +unnNZPRGWwiYnIZkHN8+ZVbumlm2zHAk1EOaCbaVOok24CVzZaOJWhUsoWwdAMuy +hJB4iTy3NzhpgJaU8M6CwSDdZboXLqe4S2Ys74Y7Pf5kOhV/b9C+DD3D7kirwyWS +gsmjKHdTZbNx9NBsDoAIOQiCvg1VqwUBSeqBYPMJOKzvZGRN+CZnoiN+NDoAS1qI +zLEl8udwtXc30yzKbX5Izx3PqaHx7eWJeY8VuF+oynb/hQUdb9VMYFAfP3//Ow2A +8v/f6lrl1xTqdRtpn719bcIDXYCZNPEi6kHk0vU/sH4= +=nxmX +-----END PGP PUBLIC KEY BLOCK----- diff --git a/sources b/sources index b4ebc36..19e0058 100644 --- a/sources +++ b/sources @@ -1,3 +1,2 @@ SHA512 (cairomm-1.14.2.tar.xz) = aef374fca25ad22770407e36512046b266d71ebeccd47fb629cfbf2f67783aa314bb335b972088a88d98417a4774d6f144cd2769c452f8aa23770eae08dca592 -SHA512 (cairomm-1.14.2.tar.xz.sha1) = 045fcd7380a2c63866edd10539a1daae6f36a22614b9fffaad60ea32a82b0ca221ba56596edf357d820cfe0880513ef61cb8bd34077e73bb94e51981b826bfd2 SHA512 (cairomm-1.14.2.tar.xz.sha1.asc) = 992f2ab7be68ce7570ba49efa40cc12cc2d2ed13983127892f1335401a184f3cb35e1a4b422d7ff0d234a0085bbc0dac9c84f183133f40ac47e668fb6d21f3c6