Rough out code to verify source tarball signatures, and document why we cannot yet do so

cairomm.spec

@@ -11,7 +11,18 @@ Release:        16%{?dist}
 URL:            https://www.cairographics.org
 License:        LGPLv2+
 
-Source0:        https://www.cairographics.org/releases/%{name}-%{version}.tar.gz
+%global src_base https://www.cairographics.org/releases
+Source0:        %{src_base}/%{name}-%{version}.tar.gz
+# We cannot verify GPG signatures at this time because there is no published
+# keychain or keyserver to get the signing key. (Additionally, the signature is
+# over a cryptographically-weak SHA1 checksum.) See
+# https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25.
+Source1:        %{src_base}/%{name}-%{version}.tar.gz.sha1
+Source2:        %{src_base}/%{name}-%{version}.tar.gz.sha1.asc
+# Source3 reserved for future GPG keyring
+
+# https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25
+# BuildRequires:  gnupg2
 
 BuildRequires:  gcc-c++
 BuildRequires:  make
@@ -59,6 +70,12 @@ documentation browser or through a web browser at
 
 
 %prep
+# https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25
+pushd "$(dirname %{SOURCE1})"
+sha1sum -c "$(basename %{SOURCE1})"
+popd
+# %%{gpgverify} --keyring='%%{SOURCE3}' --signature='%%{SOURCE2}' \
+#   --data='%%{SOURCE1}'
 %setup -q
 # We must remove the jQuery/jQueryUI bundle with precompiled/minified/bundled
 # JavaScript that is in docs/reference/html/jquery.js, since such sources are
@@ -118,6 +135,8 @@ install -t %{buildroot}%{_datadir}/doc/%{name}-%{apiver} -m 0644 -p \
 %changelog
 * Thu Feb 11 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 1.12.0-16
 - Switch URLs from HTTP to HTTPS
+- Rough out code to verify source tarball signatures, and document why we
+  cannot yet do so
 
 * Thu Feb 11 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 1.12.0-15
 - Spec file style tweaks