Verify source with new strong signatures from upstream

.gitignore

@@ -1,3 +1,4 @@
 /cairomm-1.16.0.tar.xz
 /cairomm-1.16.0.tar.xz.sha1
 /cairomm-1.16.0.tar.xz.sha1.asc
+/cairomm-1.16.0.tar.xz.asc

cairomm1.16.spec

@@ -9,22 +9,18 @@
 Name:           cairomm%{apiver}
 Summary:        C++ API for the cairo graphics library
 Version:        1.16.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 
 URL:            https://www.cairographics.org
 License:        LGPLv2+
 
 %global src_base https://www.cairographics.org/releases
 Source0:        %{src_base}/cairomm-%{version}.tar.xz
-# The complete set of authorized GPG signing keys is not published
-# (https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/331), and
-# the signature is over a cryptographically-weak SHA1 checksum file
-# (https://gitlab.freedesktop.org/cairo/cairo/-/issues/458), as initially
-# reported in https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25.
-# However, we are able to verify the signature (of the weak SHA1 checksum)
-# using the key for Kjell Ahlstedt from
+# No keyring with authorized GPG signing keys is published
+# (https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/331), but we
+# are able to verify the signature using the key for Kjell Ahlstedt from
 # https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/290.
-Source1:        %{src_base}/cairomm-%{version}.tar.xz.sha1.asc
+Source1:        %{src_base}/cairomm-%{version}.tar.xz.asc
 Source2:        https://gitlab.freedesktop.org/freedesktop/freedesktop/uploads/0ac64e9582659f70a719d59fb02cd037/gpg_key.pub
 
 BuildRequires:  gnupg2
@@ -95,27 +91,17 @@ The API/ABI version series is %{apiver}.
 
 
 %prep
-# https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25
-# The .sha1.asc file in %%{SOURCE2} is a signed-but-not-encrypted copy of the
-# corresponding .sha1 file; see the description of the --sign option in
-# https://access.redhat.com/solutions/1541303. We “decrypt it” using the
-# signer’s public key from %%{SOURCE3} to obtain a verified copy of the .sha1
-# file. To do so, we must first import the public key into a keyring; see
-# /usr/lib/rpm/redhat/gpgverify, which is the implementation of the %%gpgverify
-# macro, although we cannot use that macro due to the unconventional signing
-# scheme.
+# Import developer’s public GPG key to a keyring that we can use for signature
+# verification.
 workdir="$(mktemp --directory)"
-workring="${workdir}/keyring.gpg"
-gpg2 --homedir="${workdir}" --yes --no-default-keyring \
-    --keyring "${workring}" --import '%{SOURCE2}'
-gpg2 --homedir="${workdir}" --keyring "${workring}" --decrypt '%{SOURCE1}' \
-    > "${workdir}/%{name}.sha1"
-pushd "${workdir}"
-ln -s '%{SOURCE0}'
-sha1sum -c %{name}.sha1
-popd
+gpg2 --homedir="${workdir}" --yes --import '%{SOURCE2}'
+gpg2 --homedir="${workdir}" --export --export-options export-minimal \
+    > %{name}.gpg
 rm -rf "${workdir}"
 
+%{gpgverify} \
+    --keyring='%{name}.gpg' --signature='%{SOURCE1}' --data='%{SOURCE0}'
+
 %autosetup -n cairomm-%{version}
 # We must remove the jQuery/jQueryUI bundle with precompiled/minified/bundled
 # JavaScript that is in untracked/docs/reference/html/jquery.js, since such
@@ -173,6 +159,9 @@ cp -rp examples %{buildroot}%{_datadir}/doc/cairomm-%{apiver}/
 
 
 %changelog
+* Sat Feb 20 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 1.16.0-3
+- Verify source with new strong signatures from upstream
+
 * Wed Feb 17 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 1.16.0-2
 - Working (but weak, dependent on SHA1) source signature verification
 - Tidy up BR’s, including dropping make

sources

@@ -1,2 +1,2 @@
 SHA512 (cairomm-1.16.0.tar.xz) = 51929620feeac45377da5d486ea7a091bbd10ad8376fb16525328947b9e6ee740cdc8e8bd190a247b457cc9fec685a829c81de29b26cabaf95383ef04cce80d3
-SHA512 (cairomm-1.16.0.tar.xz.sha1.asc) = f26e421b393da03de6874af08dab34e89dda42ccf7a4de91609b78443918aa86968a1a8dd726caaedc0b06eb12433c49f271097fb8c9a0461a06c2db406fa585
+SHA512 (cairomm-1.16.0.tar.xz.asc) = ba29497b0a4ba90a33bb47105b96560063617a3830ce2d7ae333c21c62d50fcf29498a05c009d904e58e326035aa74d61333f7720311fd55632a4badcbdf87b9