rpms
/
cairomm
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Merged update from upstream sources 

This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/cairomm.git#57b849212d845c4915541582feb0cc3dfbcc0459
This commit is contained in:
DistroBaker 2021-02-20 14:05:57 +00:00
parent 3606414834
commit 804d0ae52d
3 changed files with 18 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -13,3 +13,4 @@ cairomm-1.9.1.tar.gz
/cairomm-1.14.2.tar.xz /cairomm-1.14.2.tar.xz
/cairomm-1.14.2.tar.xz.sha1 /cairomm-1.14.2.tar.xz.sha1
/cairomm-1.14.2.tar.xz.sha1.asc /cairomm-1.14.2.tar.xz.sha1.asc
/cairomm-1.14.2.tar.xz.asc

43
cairomm.spec
View File

@ -9,22 +9,18 @@
Name: cairomm Name: cairomm
Summary: C++ API for the cairo graphics library Summary: C++ API for the cairo graphics library
Version: 1.14.2 Version: 1.14.2
Release: 7%{?dist} Release: 8%{?dist}
URL: https://www.cairographics.org URL: https://www.cairographics.org
License: LGPLv2+ License: LGPLv2+
%global src_base https://www.cairographics.org/releases %global src_base https://www.cairographics.org/releases
Source0: %{src_base}/%{name}-%{version}.tar.xz Source0: %{src_base}/%{name}-%{version}.tar.xz
# The complete set of authorized GPG signing keys is not published # No keyring with authorized GPG signing keys is published
# (https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/331), and # (https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/331), but we
# the signature is over a cryptographically-weak SHA1 checksum file # are able to verify the signature using the key for Kjell Ahlstedt from
# (https://gitlab.freedesktop.org/cairo/cairo/-/issues/458), as initially
# reported in https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25.
# However, we are able to verify the signature (of the weak SHA1 checksum)
# using the key for Kjell Ahlstedt from
# https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/290. # https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/290.
Source1: %{src_base}/cairomm-%{version}.tar.xz.sha1.asc Source1: %{src_base}/cairomm-%{version}.tar.xz.asc
Source2: https://gitlab.freedesktop.org/freedesktop/freedesktop/uploads/0ac64e9582659f70a719d59fb02cd037/gpg_key.pub Source2: https://gitlab.freedesktop.org/freedesktop/freedesktop/uploads/0ac64e9582659f70a719d59fb02cd037/gpg_key.pub
BuildRequires: gnupg2 BuildRequires: gnupg2
@ -107,27 +103,17 @@ The API/ABI version series is %{apiver}.
%prep %prep
# https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25 # Import developers public GPG key to a keyring that we can use for signature
# The .sha1.asc file in %%{SOURCE2} is a signed-but-not-encrypted copy of the # verification.
# corresponding .sha1 file; see the description of the --sign option in
# https://access.redhat.com/solutions/1541303. We “decrypt it” using the
# signers public key from %%{SOURCE3} to obtain a verified copy of the .sha1
# file. To do so, we must first import the public key into a keyring; see
# /usr/lib/rpm/redhat/gpgverify, which is the implementation of the %%gpgverify
# macro, although we cannot use that macro due to the unconventional signing
# scheme.
workdir="$(mktemp --directory)" workdir="$(mktemp --directory)"
workring="${workdir}/keyring.gpg" gpg2 --homedir="${workdir}" --yes --import '%{SOURCE2}'
gpg2 --homedir="${workdir}" --yes --no-default-keyring \ gpg2 --homedir="${workdir}" --export --export-options export-minimal \
--keyring "${workring}" --import '%{SOURCE2}' > %{name}.gpg
gpg2 --homedir="${workdir}" --keyring "${workring}" --decrypt '%{SOURCE1}' \
> "${workdir}/%{name}.sha1"
pushd "${workdir}"
ln -s '%{SOURCE0}'
sha1sum -c %{name}.sha1
popd
rm -rf "${workdir}" rm -rf "${workdir}"
%{gpgverify} \
--keyring='%{name}.gpg' --signature='%{SOURCE1}' --data='%{SOURCE0}'
%autosetup %autosetup
# We must remove the jQuery/jQueryUI bundle with precompiled/minified/bundled # We must remove the jQuery/jQueryUI bundle with precompiled/minified/bundled
# JavaScript that is in untracked/docs/reference/html/jquery.js, since such # JavaScript that is in untracked/docs/reference/html/jquery.js, since such
@ -185,6 +171,9 @@ cp -rp examples %{buildroot}%{_datadir}/doc/%{name}-%{apiver}/
%changelog %changelog
* Sat Feb 20 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 1.14.2-8
- Verify source with new strong signatures from upstream
* Thu Feb 18 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 1.14.2-7 * Thu Feb 18 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 1.14.2-7
- Working (but weak, dependent on SHA1) source signature verification - Working (but weak, dependent on SHA1) source signature verification
- Added API/ABI version to descriptions - Added API/ABI version to descriptions

2
sources
View File

@ -1,2 +1,2 @@
SHA512 (cairomm-1.14.2.tar.xz) = aef374fca25ad22770407e36512046b266d71ebeccd47fb629cfbf2f67783aa314bb335b972088a88d98417a4774d6f144cd2769c452f8aa23770eae08dca592 SHA512 (cairomm-1.14.2.tar.xz) = aef374fca25ad22770407e36512046b266d71ebeccd47fb629cfbf2f67783aa314bb335b972088a88d98417a4774d6f144cd2769c452f8aa23770eae08dca592
SHA512 (cairomm-1.14.2.tar.xz.sha1.asc) = 992f2ab7be68ce7570ba49efa40cc12cc2d2ed13983127892f1335401a184f3cb35e1a4b422d7ff0d234a0085bbc0dac9c84f183133f40ac47e668fb6d21f3c6 SHA512 (cairomm-1.14.2.tar.xz.asc) = b2b9c79d4fb2b43f30599a1bcb5138bf375962728e173514a2ee8b69bed2e7a78a8a4818258e0aec0138c953597f3e6cf83cd3b99b3e3a1538afcc0c23f6a7c1