Verify source with new strong signatures from upstream

.gitignore

@@ -13,3 +13,4 @@ cairomm-1.9.1.tar.gz
 /cairomm-1.14.2.tar.xz
 /cairomm-1.14.2.tar.xz.sha1
 /cairomm-1.14.2.tar.xz.sha1.asc
+/cairomm-1.14.2.tar.xz.asc

cairomm.spec

@@ -9,22 +9,18 @@
 Name:           cairomm
 Summary:        C++ API for the cairo graphics library
 Version:        1.14.2
-Release:        7%{?dist}
+Release:        8%{?dist}
 
 URL:            https://www.cairographics.org
 License:        LGPLv2+
 
 %global src_base https://www.cairographics.org/releases
 Source0:        %{src_base}/%{name}-%{version}.tar.xz
-# The complete set of authorized GPG signing keys is not published
-# (https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/331), and
-# the signature is over a cryptographically-weak SHA1 checksum file
-# (https://gitlab.freedesktop.org/cairo/cairo/-/issues/458), as initially
-# reported in https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25.
-# However, we are able to verify the signature (of the weak SHA1 checksum)
-# using the key for Kjell Ahlstedt from
+# No keyring with authorized GPG signing keys is published
+# (https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/331), but we
+# are able to verify the signature using the key for Kjell Ahlstedt from
 # https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/290.
-Source1:        %{src_base}/cairomm-%{version}.tar.xz.sha1.asc
+Source1:        %{src_base}/cairomm-%{version}.tar.xz.asc
 Source2:        https://gitlab.freedesktop.org/freedesktop/freedesktop/uploads/0ac64e9582659f70a719d59fb02cd037/gpg_key.pub
 
 BuildRequires:  gnupg2
@@ -107,27 +103,17 @@ The API/ABI version series is %{apiver}.
 
 
 %prep
-# https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25
-# The .sha1.asc file in %%{SOURCE2} is a signed-but-not-encrypted copy of the
-# corresponding .sha1 file; see the description of the --sign option in
-# https://access.redhat.com/solutions/1541303. We “decrypt it” using the
-# signer’s public key from %%{SOURCE3} to obtain a verified copy of the .sha1
-# file. To do so, we must first import the public key into a keyring; see
-# /usr/lib/rpm/redhat/gpgverify, which is the implementation of the %%gpgverify
-# macro, although we cannot use that macro due to the unconventional signing
-# scheme.
+# Import developer’s public GPG key to a keyring that we can use for signature
+# verification.
 workdir="$(mktemp --directory)"
-workring="${workdir}/keyring.gpg"
-gpg2 --homedir="${workdir}" --yes --no-default-keyring \
-    --keyring "${workring}" --import '%{SOURCE2}'
-gpg2 --homedir="${workdir}" --keyring "${workring}" --decrypt '%{SOURCE1}' \
-    > "${workdir}/%{name}.sha1"
-pushd "${workdir}"
-ln -s '%{SOURCE0}'
-sha1sum -c %{name}.sha1
-popd
+gpg2 --homedir="${workdir}" --yes --import '%{SOURCE2}'
+gpg2 --homedir="${workdir}" --export --export-options export-minimal \
+    > %{name}.gpg
 rm -rf "${workdir}"
 
+%{gpgverify} \
+    --keyring='%{name}.gpg' --signature='%{SOURCE1}' --data='%{SOURCE0}'
+
 %autosetup
 # We must remove the jQuery/jQueryUI bundle with precompiled/minified/bundled
 # JavaScript that is in untracked/docs/reference/html/jquery.js, since such
@@ -185,6 +171,9 @@ cp -rp examples %{buildroot}%{_datadir}/doc/%{name}-%{apiver}/
 
 
 %changelog
+* Sat Feb 20 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 1.14.2-8
+- Verify source with new strong signatures from upstream
+
 * Thu Feb 18 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 1.14.2-7
 - Working (but weak, dependent on SHA1) source signature verification
 - Added API/ABI version to descriptions

sources

@@ -1,2 +1,2 @@
 SHA512 (cairomm-1.14.2.tar.xz) = aef374fca25ad22770407e36512046b266d71ebeccd47fb629cfbf2f67783aa314bb335b972088a88d98417a4774d6f144cd2769c452f8aa23770eae08dca592
-SHA512 (cairomm-1.14.2.tar.xz.sha1.asc) = 992f2ab7be68ce7570ba49efa40cc12cc2d2ed13983127892f1335401a184f3cb35e1a4b422d7ff0d234a0085bbc0dac9c84f183133f40ac47e668fb6d21f3c6
+SHA512 (cairomm-1.14.2.tar.xz.asc) = b2b9c79d4fb2b43f30599a1bcb5138bf375962728e173514a2ee8b69bed2e7a78a8a4818258e0aec0138c953597f3e6cf83cd3b99b3e3a1538afcc0c23f6a7c1