diff --git a/.gitignore b/.gitignore index fa4eb7a..63684f7 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ /cairomm-1.16.0.tar.xz /cairomm-1.16.0.tar.xz.sha1 /cairomm-1.16.0.tar.xz.sha1.asc +/cairomm-1.16.0.tar.xz.asc diff --git a/cairomm1.16.spec b/cairomm1.16.spec index abb6494..10ce838 100644 --- a/cairomm1.16.spec +++ b/cairomm1.16.spec @@ -9,22 +9,18 @@ Name: cairomm%{apiver} Summary: C++ API for the cairo graphics library Version: 1.16.0 -Release: 2%{?dist} +Release: 3%{?dist} URL: https://www.cairographics.org License: LGPLv2+ %global src_base https://www.cairographics.org/releases Source0: %{src_base}/cairomm-%{version}.tar.xz -# The complete set of authorized GPG signing keys is not published -# (https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/331), and -# the signature is over a cryptographically-weak SHA1 checksum file -# (https://gitlab.freedesktop.org/cairo/cairo/-/issues/458), as initially -# reported in https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25. -# However, we are able to verify the signature (of the weak SHA1 checksum) -# using the key for Kjell Ahlstedt from +# No keyring with authorized GPG signing keys is published +# (https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/331), but we +# are able to verify the signature using the key for Kjell Ahlstedt from # https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/290. -Source1: %{src_base}/cairomm-%{version}.tar.xz.sha1.asc +Source1: %{src_base}/cairomm-%{version}.tar.xz.asc Source2: https://gitlab.freedesktop.org/freedesktop/freedesktop/uploads/0ac64e9582659f70a719d59fb02cd037/gpg_key.pub BuildRequires: gnupg2 @@ -95,27 +91,17 @@ The API/ABI version series is %{apiver}. %prep -# https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25 -# The .sha1.asc file in %%{SOURCE2} is a signed-but-not-encrypted copy of the -# corresponding .sha1 file; see the description of the --sign option in -# https://access.redhat.com/solutions/1541303. We “decrypt it” using the -# signer’s public key from %%{SOURCE3} to obtain a verified copy of the .sha1 -# file. To do so, we must first import the public key into a keyring; see -# /usr/lib/rpm/redhat/gpgverify, which is the implementation of the %%gpgverify -# macro, although we cannot use that macro due to the unconventional signing -# scheme. +# Import developer’s public GPG key to a keyring that we can use for signature +# verification. workdir="$(mktemp --directory)" -workring="${workdir}/keyring.gpg" -gpg2 --homedir="${workdir}" --yes --no-default-keyring \ - --keyring "${workring}" --import '%{SOURCE2}' -gpg2 --homedir="${workdir}" --keyring "${workring}" --decrypt '%{SOURCE1}' \ - > "${workdir}/%{name}.sha1" -pushd "${workdir}" -ln -s '%{SOURCE0}' -sha1sum -c %{name}.sha1 -popd +gpg2 --homedir="${workdir}" --yes --import '%{SOURCE2}' +gpg2 --homedir="${workdir}" --export --export-options export-minimal \ + > %{name}.gpg rm -rf "${workdir}" +%{gpgverify} \ + --keyring='%{name}.gpg' --signature='%{SOURCE1}' --data='%{SOURCE0}' + %autosetup -n cairomm-%{version} # We must remove the jQuery/jQueryUI bundle with precompiled/minified/bundled # JavaScript that is in untracked/docs/reference/html/jquery.js, since such @@ -173,6 +159,9 @@ cp -rp examples %{buildroot}%{_datadir}/doc/cairomm-%{apiver}/ %changelog +* Sat Feb 20 2021 Benjamin A. Beasley - 1.16.0-3 +- Verify source with new strong signatures from upstream + * Wed Feb 17 2021 Benjamin A. Beasley - 1.16.0-2 - Working (but weak, dependent on SHA1) source signature verification - Tidy up BR’s, including dropping make diff --git a/sources b/sources index 5770293..21a59b9 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (cairomm-1.16.0.tar.xz) = 51929620feeac45377da5d486ea7a091bbd10ad8376fb16525328947b9e6ee740cdc8e8bd190a247b457cc9fec685a829c81de29b26cabaf95383ef04cce80d3 -SHA512 (cairomm-1.16.0.tar.xz.sha1.asc) = f26e421b393da03de6874af08dab34e89dda42ccf7a4de91609b78443918aa86968a1a8dd726caaedc0b06eb12433c49f271097fb8c9a0461a06c2db406fa585 +SHA512 (cairomm-1.16.0.tar.xz.asc) = ba29497b0a4ba90a33bb47105b96560063617a3830ce2d7ae333c21c62d50fcf29498a05c009d904e58e326035aa74d61333f7720311fd55632a4badcbdf87b9