Merged update from upstream sources

This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/cairomm.git#57b849212d845c4915541582feb0cc3dfbcc0459
2021-02-20 14:05:57 +00:00 · 2021-02-20 14:05:57 +00:00 · 804d0ae52d
parent 3606414834
commit 804d0ae52d
3 changed files with 18 additions and 28 deletions
--- a/.gitignore
+++ b/.gitignore
@ -13,3 +13,4 @@ cairomm-1.9.1.tar.gz
 /cairomm-1.14.2.tar.xz
 /cairomm-1.14.2.tar.xz.sha1
 /cairomm-1.14.2.tar.xz.sha1.asc
+/cairomm-1.14.2.tar.xz.asc
--- a/cairomm.spec
+++ b/cairomm.spec
@ -9,22 +9,18 @@
 Name:           cairomm
 Summary:        C++ API for the cairo graphics library
 Version:        1.14.2
-Release:        7%{?dist}
+Release:        8%{?dist}

 URL:            https://www.cairographics.org
 License:        LGPLv2+

 %global src_base https://www.cairographics.org/releases
 Source0:        %{src_base}/%{name}-%{version}.tar.xz
-# The complete set of authorized GPG signing keys is not published
-# (https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/331), and
-# the signature is over a cryptographically-weak SHA1 checksum file
-# (https://gitlab.freedesktop.org/cairo/cairo/-/issues/458), as initially
-# reported in https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25.
-# However, we are able to verify the signature (of the weak SHA1 checksum)
-# using the key for Kjell Ahlstedt from
+# No keyring with authorized GPG signing keys is published
+# (https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/331), but we
+# are able to verify the signature using the key for Kjell Ahlstedt from
 # https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/290.
-Source1:        %{src_base}/cairomm-%{version}.tar.xz.sha1.asc
+Source1:        %{src_base}/cairomm-%{version}.tar.xz.asc
 Source2:        https://gitlab.freedesktop.org/freedesktop/freedesktop/uploads/0ac64e9582659f70a719d59fb02cd037/gpg_key.pub

 BuildRequires:  gnupg2
@ -107,27 +103,17 @@ The API/ABI version series is %{apiver}.


 %prep
-# https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25
-# The .sha1.asc file in %%{SOURCE2} is a signed-but-not-encrypted copy of the
-# corresponding .sha1 file; see the description of the --sign option in
-# https://access.redhat.com/solutions/1541303. We “decrypt it” using the
-# signer’s public key from %%{SOURCE3} to obtain a verified copy of the .sha1
-# file. To do so, we must first import the public key into a keyring; see
-# /usr/lib/rpm/redhat/gpgverify, which is the implementation of the %%gpgverify
-# macro, although we cannot use that macro due to the unconventional signing
-# scheme.
+# Import developer’s public GPG key to a keyring that we can use for signature
+# verification.
 workdir="$(mktemp --directory)"
-workring="${workdir}/keyring.gpg"
-gpg2 --homedir="${workdir}" --yes --no-default-keyring \
-    --keyring "${workring}" --import '%{SOURCE2}'
-gpg2 --homedir="${workdir}" --keyring "${workring}" --decrypt '%{SOURCE1}' \
-    > "${workdir}/%{name}.sha1"
-pushd "${workdir}"
-ln -s '%{SOURCE0}'
-sha1sum -c %{name}.sha1
-popd
+gpg2 --homedir="${workdir}" --yes --import '%{SOURCE2}'
+gpg2 --homedir="${workdir}" --export --export-options export-minimal \
+    > %{name}.gpg
 rm -rf "${workdir}"

+%{gpgverify} \
+    --keyring='%{name}.gpg' --signature='%{SOURCE1}' --data='%{SOURCE0}'
+
 %autosetup
 # We must remove the jQuery/jQueryUI bundle with precompiled/minified/bundled
 # JavaScript that is in untracked/docs/reference/html/jquery.js, since such
@ -185,6 +171,9 @@ cp -rp examples %{buildroot}%{_datadir}/doc/%{name}-%{apiver}/


 %changelog
+* Sat Feb 20 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 1.14.2-8
+- Verify source with new strong signatures from upstream
+
 * Thu Feb 18 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 1.14.2-7
 - Working (but weak, dependent on SHA1) source signature verification
 - Added API/ABI version to descriptions
--- a/2
+++ b/2
@ -1,2 +1,2 @@
 SHA512 (cairomm-1.14.2.tar.xz) = aef374fca25ad22770407e36512046b266d71ebeccd47fb629cfbf2f67783aa314bb335b972088a88d98417a4774d6f144cd2769c452f8aa23770eae08dca592
-SHA512 (cairomm-1.14.2.tar.xz.sha1.asc) = 992f2ab7be68ce7570ba49efa40cc12cc2d2ed13983127892f1335401a184f3cb35e1a4b422d7ff0d234a0085bbc0dac9c84f183133f40ac47e668fb6d21f3c6
+SHA512 (cairomm-1.14.2.tar.xz.asc) = b2b9c79d4fb2b43f30599a1bcb5138bf375962728e173514a2ee8b69bed2e7a78a8a4818258e0aec0138c953597f3e6cf83cd3b99b3e3a1538afcc0c23f6a7c1