Merged update from upstream sources

This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/cairomm.git#508e5566a0fc3f1de65ffb8785f1c3410dadac45
2021-02-18 16:15:24 +00:00 · 2021-02-18 16:15:24 +00:00 · 3606414834
commit 3606414834
parent 142dda9ac2
3 changed files with 83 additions and 16 deletions
--- a/cairomm.spec
+++ b/cairomm.spec
@ -9,23 +9,25 @@
 Name:           cairomm
 Summary:        C++ API for the cairo graphics library
 Version:        1.14.2
-Release:        6%{?dist}
+Release:        7%{?dist}

 URL:            https://www.cairographics.org
 License:        LGPLv2+

 %global src_base https://www.cairographics.org/releases
 Source0:        %{src_base}/%{name}-%{version}.tar.xz
-# We cannot verify GPG signatures at this time because there is no published
-# keychain or keyserver to get the signing key. (Additionally, the signature is
-# over a cryptographically-weak SHA1 checksum.) See
-# https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25.
-Source1:        %{src_base}/%{name}-%{version}.tar.xz.sha1
-Source2:        %{src_base}/%{name}-%{version}.tar.xz.sha1.asc
-# Source3 reserved for future GPG keyring
+# The complete set of authorized GPG signing keys is not published
+# (https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/331), and
+# the signature is over a cryptographically-weak SHA1 checksum file
+# (https://gitlab.freedesktop.org/cairo/cairo/-/issues/458), as initially
+# reported in https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25.
+# However, we are able to verify the signature (of the weak SHA1 checksum)
+# using the key for Kjell Ahlstedt from
+# https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/290.
+Source1:        %{src_base}/cairomm-%{version}.tar.xz.sha1.asc
+Source2:        https://gitlab.freedesktop.org/freedesktop/freedesktop/uploads/0ac64e9582659f70a719d59fb02cd037/gpg_key.pub

-# https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25
-# BuildRequires:  gnupg2
+BuildRequires:  gnupg2

 BuildRequires:  gcc-c++
 BuildRequires:  meson
@ -72,6 +74,8 @@ Provides:       %{name}%{apiver}%{?_isa} = %{version}-%{release}
 %description
 This library provides a C++ interface to cairo.

+The API/ABI version series is %{apiver}.
+

 %package        devel
 Summary:        Development files for %{name}
@ -83,6 +87,8 @@ Provides:       %{name}%{apiver}-devel%{?_isa} = %{version}-%{release}
 The %{name}-devel package contains libraries and header files for developing
 applications that use %{name}.

+The API/ABI version series is %{apiver}.
+

 %package        doc
 Summary:        Documentation for %{name}
@ -97,15 +103,32 @@ Documentation for %{name} can be viewed either through the devhelp
 documentation browser or through a web browser at
 %{_datadir}/doc/%{name}-%{apiver}/.

+The API/ABI version series is %{apiver}.
+

 %prep
 # https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25
-pushd "$(dirname %{SOURCE1})"
-sha1sum -c "$(basename %{SOURCE1})"
+# The .sha1.asc file in %%{SOURCE2} is a signed-but-not-encrypted copy of the
+# corresponding .sha1 file; see the description of the --sign option in
+# https://access.redhat.com/solutions/1541303. We “decrypt it” using the
+# signer’s public key from %%{SOURCE3} to obtain a verified copy of the .sha1
+# file. To do so, we must first import the public key into a keyring; see
+# /usr/lib/rpm/redhat/gpgverify, which is the implementation of the %%gpgverify
+# macro, although we cannot use that macro due to the unconventional signing
+# scheme.
+workdir="$(mktemp --directory)"
+workring="${workdir}/keyring.gpg"
+gpg2 --homedir="${workdir}" --yes --no-default-keyring \
+    --keyring "${workring}" --import '%{SOURCE2}'
+gpg2 --homedir="${workdir}" --keyring "${workring}" --decrypt '%{SOURCE1}' \
+    > "${workdir}/%{name}.sha1"
+pushd "${workdir}"
+ln -s '%{SOURCE0}'
+sha1sum -c %{name}.sha1
 popd
-# %%{gpgverify} --keyring='%%{SOURCE3}' --signature='%%{SOURCE2}' \
-#   --data='%%{SOURCE1}'
-%setup -q
+rm -rf "${workdir}"
+
+%autosetup
 # We must remove the jQuery/jQueryUI bundle with precompiled/minified/bundled
 # JavaScript that is in untracked/docs/reference/html/jquery.js, since such
 # sources are banned in Fedora. (Note also that the bundled JavaScript had a
@ -162,6 +185,10 @@ cp -rp examples %{buildroot}%{_datadir}/doc/%{name}-%{apiver}/


 %changelog
+* Thu Feb 18 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 1.14.2-7
+- Working (but weak, dependent on SHA1) source signature verification
+- Added API/ABI version to descriptions
+
 * Wed Feb 17 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 1.14.2-6
 - Fix typo %%{_?isa} for %%{?_isa} in virtual Provides
 - Tidy up BR’s, including dropping make
--- a/gpg_key.pub
+++ b/gpg_key.pub
@ -0,0 +1,41 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBF9XkQUBDADmaPl0W4LoNnFwUy3aQQgQn2HyuoGO292p/UHdSjgQ+uiVOETU
+sGlXUoqMHB2L0G/PM5fBGAdH26EWdkTNoRMVIH1vhcbA6xKCI4AEM06HtU8J7vTw
+hKtW9qiYe0Gf5gF0lYFEeyoLaZUKZJmVgcFvs33kxPNkBX8+kSbCDG77cjY1X2M5
+jTR/JFv0IwxAdGBaONyp4pB66qQU8skXKlrNmmc6VvP2Q8D0P6EcDJ3FfUumuTMa
+tcWf72jimHKsu3XR6nfH3ghbpxxLD54MSv0vtF/5jJRon1PkASkbo+aAf3w28pKQ
+TZnCeD4RcL1f3ijo2VlxMqAcdUOL/c5aRLuzz+iQobl68zsOn2YSg9kpfgmfoOmZ
+Uk1XB6R4aJkh6FihZmd+QIrmjIPD3fZPxfyx2SfdAq2o5CURbNfq/enG9DyBfg78
+jgTv6ybISpOmrWjR9i6nAJAkAI5upBgIuKn2VntQKuHzrjNRDSQeMMV+rdgnx2Fz
+nkcIjs30U+kz9uMAEQEAAbQoS2plbGwgQWhsc3RlZHQgPGtqZWxsYWhsc3RlZHRA
+Z21haWwuY29tPokB1AQTAQoAPhYhBGy0RagWUEcUqkliV566FV/MEtLABQJfV5EF
+AhsDBQkDwmcABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEJ66FV/MEtLAa4MM
+ALqkWxHC+hXB2yxH/X32nOGdJTZqEsW+gAuOyJ26mOy29ZecaBf83eEBR6BYN22Z
+OwLta5bhC75OJt3rxqZZRC1QcFLxDH5n8UkXInu5U7kZkPIyEW8rmtgK4Y3EEetF
+AcxT75/OsYL1ssTd/CCbNCe2KLarIwu/mNRN42yZq8nqWN94sfRwCGRltwtEjPiW
+OepIBjk4QNaFa2iACCWKyeDX3l6XdWUza7InYYZep+9759Vv3iHOlwOJRQdXE7Gp
+RrftCxls/aR/M4pWMHa8Mbev12Gz1+emChCcpyU14ce04mDsefcRiaCPD8kH5LII
+fH7YMqFd0KOZZDLZFQRQhLb5zCPlLwgjiDsS7XUhfCCA7HQhWVPV26afbllIB03f
+d9m0WCbnrPsKP3LazDVhXLkYRrDNrEzKV8Oy2hKw+BlpmOhgtVIPrHCdYMt+4kzi
+f16CFUiim2yTjqa8tDcsiIMPccaqRjjhQJ/KxmQSvMLmZOgkYNaOgO9FQ/pJsnMX
+b7kBjQRfV5EFAQwAu2/c0DO1x5gwcXoAlXzx5ONIpSzqOtTHubMaUTV0R6B8yVGs
+o2rL5tbTdr5ClIOwc2gvYz/mLsOyikb7fy+EBW7/CrtlPZTFrt5pA19it7I0MK7K
+mMu6bDgK14E9LBfJIsNnDEvmPhdMloCMeIxcSldpVu/VG3CbWqVVrCy/PTI22FYx
+lM+CIDOgQgG7NeIebvBKAeaWk1lGW0qf/i/mWMTuv+/37okUzjWBXboKhpJ0WzY4
+O2fxgTV1EwQ44jMDiKFbq+hUFRln+hdTCrez4F4xvly2AyNYLciiksCz0LqcMZ2o
+x1MHm3P/lWJvPK7r1tQQI+THq/XbWcVRKJPCOiFcEUs1rHxsTprmHVOuAPhWP3kp
+ZhLIqdpvw2B//hiJmJgLIiXHkfRUwmHaIAZrmWTqEjhJc0cZP+F4+0UNabr7Lmd
+pl7vBGh+TCwu9EN/SmCvRAc9JdlLOHwpaDxXrjUQ5S9PbwMiw00HwvDjqt7Wsvks
+1XVAiiBTddhafZCJABEBAAGJAbwEGAEKACYWIQRstEWoFlBHFKpJYleeuhVfzBLS
+wAUCX1eRBQIbDAUJA8JnAAAKCRCeuhVfzBLSwE7aDADlFFoqJFNqxF2jC+jHzTcS
+vjpZVk9GTcyRqulVzpH18gLZnN+1abgVOGA0abfE9qV+mRnMmyfrhfB8kGc+VodS
+ByRuAktW8n+AlgGN26hk4nEChcf09BHhRZkDbdSEhhZNeqYfTGZIivxx97KgzrC6
+9b9MrSMogzeOMbzLYojiJxsAhFvTgrPeJObRwf71dLFmBvjL7fheTVsaDq/v6EWz
+unnNZPRGWwiYnIZkHN8+ZVbumlm2zHAk1EOaCbaVOok24CVzZaOJWhUsoWwdAMuy
+hJB4iTy3NzhpgJaU8M6CwSDdZboXLqe4S2Ys74Y7Pf5kOhV/b9C+DD3D7kirwyWS
+gsmjKHdTZbNx9NBsDoAIOQiCvg1VqwUBSeqBYPMJOKzvZGRN+CZnoiN+NDoAS1qI
+zLEl8udwtXc30yzKbX5Izx3PqaHx7eWJeY8VuF+oynb/hQUdb9VMYFAfP3//Ow2A
+8v/f6lrl1xTqdRtpn719bcIDXYCZNPEi6kHk0vU/sH4=
+=nxmX
+-----END PGP PUBLIC KEY BLOCK-----
--- a/1
+++ b/1
@ -1,3 +1,2 @@
 SHA512 (cairomm-1.14.2.tar.xz) = aef374fca25ad22770407e36512046b266d71ebeccd47fb629cfbf2f67783aa314bb335b972088a88d98417a4774d6f144cd2769c452f8aa23770eae08dca592
-SHA512 (cairomm-1.14.2.tar.xz.sha1) = 045fcd7380a2c63866edd10539a1daae6f36a22614b9fffaad60ea32a82b0ca221ba56596edf357d820cfe0880513ef61cb8bd34077e73bb94e51981b826bfd2
 SHA512 (cairomm-1.14.2.tar.xz.sha1.asc) = 992f2ab7be68ce7570ba49efa40cc12cc2d2ed13983127892f1335401a184f3cb35e1a4b422d7ff0d234a0085bbc0dac9c84f183133f40ac47e668fb6d21f3c6