From 508e5566a0fc3f1de65ffb8785f1c3410dadac45 Mon Sep 17 00:00:00 2001 From: "Benjamin A. Beasley" Date: Thu, 18 Feb 2021 10:45:51 -0500 Subject: [PATCH] Working (but weak, dependent on SHA1) source signature verification; added API/ABI version to descriptions --- cairomm.spec | 57 ++++++++++++++++++++++++++++++++++++++-------------- gpg_key.pub | 41 +++++++++++++++++++++++++++++++++++++ sources | 1 - 3 files changed, 83 insertions(+), 16 deletions(-) create mode 100644 gpg_key.pub diff --git a/cairomm.spec b/cairomm.spec index 0c81f4e..dfa0b05 100644 --- a/cairomm.spec +++ b/cairomm.spec @@ -9,23 +9,25 @@ Name: cairomm Summary: C++ API for the cairo graphics library Version: 1.14.2 -Release: 6%{?dist} +Release: 7%{?dist} URL: https://www.cairographics.org License: LGPLv2+ %global src_base https://www.cairographics.org/releases Source0: %{src_base}/%{name}-%{version}.tar.xz -# We cannot verify GPG signatures at this time because there is no published -# keychain or keyserver to get the signing key. (Additionally, the signature is -# over a cryptographically-weak SHA1 checksum.) See -# https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25. -Source1: %{src_base}/%{name}-%{version}.tar.xz.sha1 -Source2: %{src_base}/%{name}-%{version}.tar.xz.sha1.asc -# Source3 reserved for future GPG keyring +# The complete set of authorized GPG signing keys is not published +# (https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/331), and +# the signature is over a cryptographically-weak SHA1 checksum file +# (https://gitlab.freedesktop.org/cairo/cairo/-/issues/458), as initially +# reported in https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25. +# However, we are able to verify the signature (of the weak SHA1 checksum) +# using the key for Kjell Ahlstedt from +# https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/290. +Source1: %{src_base}/cairomm-%{version}.tar.xz.sha1.asc +Source2: https://gitlab.freedesktop.org/freedesktop/freedesktop/uploads/0ac64e9582659f70a719d59fb02cd037/gpg_key.pub -# https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25 -# BuildRequires: gnupg2 +BuildRequires: gnupg2 BuildRequires: gcc-c++ BuildRequires: meson @@ -72,6 +74,8 @@ Provides: %{name}%{apiver}%{?_isa} = %{version}-%{release} %description This library provides a C++ interface to cairo. +The API/ABI version series is %{apiver}. + %package devel Summary: Development files for %{name} @@ -83,6 +87,8 @@ Provides: %{name}%{apiver}-devel%{?_isa} = %{version}-%{release} The %{name}-devel package contains libraries and header files for developing applications that use %{name}. +The API/ABI version series is %{apiver}. + %package doc Summary: Documentation for %{name} @@ -97,15 +103,32 @@ Documentation for %{name} can be viewed either through the devhelp documentation browser or through a web browser at %{_datadir}/doc/%{name}-%{apiver}/. +The API/ABI version series is %{apiver}. + %prep # https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25 -pushd "$(dirname %{SOURCE1})" -sha1sum -c "$(basename %{SOURCE1})" +# The .sha1.asc file in %%{SOURCE2} is a signed-but-not-encrypted copy of the +# corresponding .sha1 file; see the description of the --sign option in +# https://access.redhat.com/solutions/1541303. We “decrypt it” using the +# signer’s public key from %%{SOURCE3} to obtain a verified copy of the .sha1 +# file. To do so, we must first import the public key into a keyring; see +# /usr/lib/rpm/redhat/gpgverify, which is the implementation of the %%gpgverify +# macro, although we cannot use that macro due to the unconventional signing +# scheme. +workdir="$(mktemp --directory)" +workring="${workdir}/keyring.gpg" +gpg2 --homedir="${workdir}" --yes --no-default-keyring \ + --keyring "${workring}" --import '%{SOURCE2}' +gpg2 --homedir="${workdir}" --keyring "${workring}" --decrypt '%{SOURCE1}' \ + > "${workdir}/%{name}.sha1" +pushd "${workdir}" +ln -s '%{SOURCE0}' +sha1sum -c %{name}.sha1 popd -# %%{gpgverify} --keyring='%%{SOURCE3}' --signature='%%{SOURCE2}' \ -# --data='%%{SOURCE1}' -%setup -q +rm -rf "${workdir}" + +%autosetup # We must remove the jQuery/jQueryUI bundle with precompiled/minified/bundled # JavaScript that is in untracked/docs/reference/html/jquery.js, since such # sources are banned in Fedora. (Note also that the bundled JavaScript had a @@ -162,6 +185,10 @@ cp -rp examples %{buildroot}%{_datadir}/doc/%{name}-%{apiver}/ %changelog +* Thu Feb 18 2021 Benjamin A. Beasley - 1.14.2-7 +- Working (but weak, dependent on SHA1) source signature verification +- Added API/ABI version to descriptions + * Wed Feb 17 2021 Benjamin A. Beasley - 1.14.2-6 - Fix typo %%{_?isa} for %%{?_isa} in virtual Provides - Tidy up BR’s, including dropping make diff --git a/gpg_key.pub b/gpg_key.pub new file mode 100644 index 0000000..def31f7 --- /dev/null +++ b/gpg_key.pub @@ -0,0 +1,41 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGNBF9XkQUBDADmaPl0W4LoNnFwUy3aQQgQn2HyuoGO292p/UHdSjgQ+uiVOETU +sGlXUoqMHB2L0G/PM5fBGAdH26EWdkTNoRMVIH1vhcbA6xKCI4AEM06HtU8J7vTw +hKtW9qiYe0Gf5gF0lYFEeyoLaZUKZJmVgcFvs33kxPNkBX8+kSbCDG77cjY1X2M5 +jTR/JFv0IwxAdGBaONyp4pB66qQU8skXKlrNmmc6VvP2Q8D0P6EcDJ3FfUumuTMa +tcWf72jimHKsu3XR6nfH3ghbpxxLD54MSv0vtF/5jJRon1PkASkbo+aAf3w28pKQ +TZnCeD4RcL1f3ijo2VlxMqAcdUOL/c5aRLuzz+iQobl68zsOn2YSg9kpfgmfoOmZ +Uk1XB6R4aJkh6FihZmd+QIrmjIPD3fZPxfyx2SfdAq2o5CURbNfq/enG9DyBfg78 +jgTv6ybISpOmrWjR9i6nAJAkAI5upBgIuKn2VntQKuHzrjNRDSQeMMV+rdgnx2Fz +nkcIjs30U+kz9uMAEQEAAbQoS2plbGwgQWhsc3RlZHQgPGtqZWxsYWhsc3RlZHRA +Z21haWwuY29tPokB1AQTAQoAPhYhBGy0RagWUEcUqkliV566FV/MEtLABQJfV5EF +AhsDBQkDwmcABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEJ66FV/MEtLAa4MM +ALqkWxHC+hXB2yxH/X32nOGdJTZqEsW+gAuOyJ26mOy29ZecaBf83eEBR6BYN22Z +OwLta5bhC75OJt3rxqZZRC1QcFLxDH5n8UkXInu5U7kZkPIyEW8rmtgK4Y3EEetF +AcxT75/OsYL1ssTd/CCbNCe2KLarIwu/mNRN42yZq8nqWN94sfRwCGRltwtEjPiW +OepIBjk4QNaFa2iACCWKyeDX3l6XdWUza7InYYZep+9759Vv3iHOlwOJRQdXE7Gp +RrftCxls/aR/M4pWMHa8Mbev12Gz1+emChCcpyU14ce04mDsefcRiaCPD8kH5LII +fH7YMqFd0KOZZDLZFQRQhLb5zCPlLwgjiDsS7XUhfCCA7HQhWVPV26afbllIB03f +d9m0WCbnrPsKP3LazDVhXLkYRrDNrEzKV8Oy2hKw+BlpmOhgtVIPrHCdYMt+4kzi +f16CFUiim2yTjqa8tDcsiIMPccaqRjjhQJ/KxmQSvMLmZOgkYNaOgO9FQ/pJsnMX +b7kBjQRfV5EFAQwAu2/c0DO1x5gwcXoAlXzx5ONIpSzqOtTHubMaUTV0R6B8yVGs +o2rL5tbTdr5ClIOwc2gvYz/mLsOyikb7fy+EBW7/CrtlPZTFrt5pA19it7I0MK7K +mMu6bDgK14E9LBfJIsNnDEvmPhdMloCMeIxcSldpVu/VG3CbWqVVrCy/PTI22FYx +lM+CIDOgQgG7NeIebvBKAeaWk1lGW0qf/i/mWMTuv+/37okUzjWBXboKhpJ0WzY4 +O2fxgTV1EwQ44jMDiKFbq+hUFRln+hdTCrez4F4xvly2AyNYLciiksCz0LqcMZ2o +x1MHm3P/lWJvPK7r1tQQI+THq/XbWcVRKJPCOiFcEUs1rHxsTprmHVOuAPhWP3kp ++ZhLIqdpvw2B//hiJmJgLIiXHkfRUwmHaIAZrmWTqEjhJc0cZP+F4+0UNabr7Lmd +pl7vBGh+TCwu9EN/SmCvRAc9JdlLOHwpaDxXrjUQ5S9PbwMiw00HwvDjqt7Wsvks +1XVAiiBTddhafZCJABEBAAGJAbwEGAEKACYWIQRstEWoFlBHFKpJYleeuhVfzBLS +wAUCX1eRBQIbDAUJA8JnAAAKCRCeuhVfzBLSwE7aDADlFFoqJFNqxF2jC+jHzTcS +vjpZVk9GTcyRqulVzpH18gLZnN+1abgVOGA0abfE9qV+mRnMmyfrhfB8kGc+VodS +ByRuAktW8n+AlgGN26hk4nEChcf09BHhRZkDbdSEhhZNeqYfTGZIivxx97KgzrC6 +9b9MrSMogzeOMbzLYojiJxsAhFvTgrPeJObRwf71dLFmBvjL7fheTVsaDq/v6EWz +unnNZPRGWwiYnIZkHN8+ZVbumlm2zHAk1EOaCbaVOok24CVzZaOJWhUsoWwdAMuy +hJB4iTy3NzhpgJaU8M6CwSDdZboXLqe4S2Ys74Y7Pf5kOhV/b9C+DD3D7kirwyWS +gsmjKHdTZbNx9NBsDoAIOQiCvg1VqwUBSeqBYPMJOKzvZGRN+CZnoiN+NDoAS1qI +zLEl8udwtXc30yzKbX5Izx3PqaHx7eWJeY8VuF+oynb/hQUdb9VMYFAfP3//Ow2A +8v/f6lrl1xTqdRtpn719bcIDXYCZNPEi6kHk0vU/sH4= +=nxmX +-----END PGP PUBLIC KEY BLOCK----- diff --git a/sources b/sources index b4ebc36..19e0058 100644 --- a/sources +++ b/sources @@ -1,3 +1,2 @@ SHA512 (cairomm-1.14.2.tar.xz) = aef374fca25ad22770407e36512046b266d71ebeccd47fb629cfbf2f67783aa314bb335b972088a88d98417a4774d6f144cd2769c452f8aa23770eae08dca592 -SHA512 (cairomm-1.14.2.tar.xz.sha1) = 045fcd7380a2c63866edd10539a1daae6f36a22614b9fffaad60ea32a82b0ca221ba56596edf357d820cfe0880513ef61cb8bd34077e73bb94e51981b826bfd2 SHA512 (cairomm-1.14.2.tar.xz.sha1.asc) = 992f2ab7be68ce7570ba49efa40cc12cc2d2ed13983127892f1335401a184f3cb35e1a4b422d7ff0d234a0085bbc0dac9c84f183133f40ac47e668fb6d21f3c6