rpms/cairomm1.16
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Verify source with new strong signatures from upstream

Browse Source
This commit is contained in:
Benjamin A. Beasley 2021-02-20 08:47:25 -05:00
parent 7de4903a98
commit 05f4ba33b8
3 changed files with 18 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,3 +1,4 @@
/cairomm-1.16.0.tar.xz /cairomm-1.16.0.tar.xz
/cairomm-1.16.0.tar.xz.sha1 /cairomm-1.16.0.tar.xz.sha1
/cairomm-1.16.0.tar.xz.sha1.asc /cairomm-1.16.0.tar.xz.sha1.asc
/cairomm-1.16.0.tar.xz.asc

43
cairomm1.16.spec
View File

@ -9,22 +9,18 @@
Name: cairomm%{apiver} Name: cairomm%{apiver}
Summary: C++ API for the cairo graphics library Summary: C++ API for the cairo graphics library
Version: 1.16.0 Version: 1.16.0
Release: 2%{?dist} Release: 3%{?dist}
URL: https://www.cairographics.org URL: https://www.cairographics.org
License: LGPLv2+ License: LGPLv2+
%global src_base https://www.cairographics.org/releases %global src_base https://www.cairographics.org/releases
Source0: %{src_base}/cairomm-%{version}.tar.xz Source0: %{src_base}/cairomm-%{version}.tar.xz
# The complete set of authorized GPG signing keys is not published # No keyring with authorized GPG signing keys is published
# (https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/331), and # (https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/331), but we
# the signature is over a cryptographically-weak SHA1 checksum file # are able to verify the signature using the key for Kjell Ahlstedt from
# (https://gitlab.freedesktop.org/cairo/cairo/-/issues/458), as initially
# reported in https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25.
# However, we are able to verify the signature (of the weak SHA1 checksum)
# using the key for Kjell Ahlstedt from
# https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/290. # https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/290.
Source1: %{src_base}/cairomm-%{version}.tar.xz.sha1.asc Source1: %{src_base}/cairomm-%{version}.tar.xz.asc
Source2: https://gitlab.freedesktop.org/freedesktop/freedesktop/uploads/0ac64e9582659f70a719d59fb02cd037/gpg_key.pub Source2: https://gitlab.freedesktop.org/freedesktop/freedesktop/uploads/0ac64e9582659f70a719d59fb02cd037/gpg_key.pub
BuildRequires: gnupg2 BuildRequires: gnupg2
@ -95,27 +91,17 @@ The API/ABI version series is %{apiver}.
%prep %prep
# https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25 # Import developers public GPG key to a keyring that we can use for signature
# The .sha1.asc file in %%{SOURCE2} is a signed-but-not-encrypted copy of the # verification.
# corresponding .sha1 file; see the description of the --sign option in
# https://access.redhat.com/solutions/1541303. We “decrypt it” using the
# signers public key from %%{SOURCE3} to obtain a verified copy of the .sha1
# file. To do so, we must first import the public key into a keyring; see
# /usr/lib/rpm/redhat/gpgverify, which is the implementation of the %%gpgverify
# macro, although we cannot use that macro due to the unconventional signing
# scheme.
workdir="$(mktemp --directory)" workdir="$(mktemp --directory)"
workring="${workdir}/keyring.gpg" gpg2 --homedir="${workdir}" --yes --import '%{SOURCE2}'
gpg2 --homedir="${workdir}" --yes --no-default-keyring \ gpg2 --homedir="${workdir}" --export --export-options export-minimal \
--keyring "${workring}" --import '%{SOURCE2}' > %{name}.gpg
gpg2 --homedir="${workdir}" --keyring "${workring}" --decrypt '%{SOURCE1}' \
> "${workdir}/%{name}.sha1"
pushd "${workdir}"
ln -s '%{SOURCE0}'
sha1sum -c %{name}.sha1
popd
rm -rf "${workdir}" rm -rf "${workdir}"
%{gpgverify} \
--keyring='%{name}.gpg' --signature='%{SOURCE1}' --data='%{SOURCE0}'
%autosetup -n cairomm-%{version} %autosetup -n cairomm-%{version}
# We must remove the jQuery/jQueryUI bundle with precompiled/minified/bundled # We must remove the jQuery/jQueryUI bundle with precompiled/minified/bundled
# JavaScript that is in untracked/docs/reference/html/jquery.js, since such # JavaScript that is in untracked/docs/reference/html/jquery.js, since such
@ -173,6 +159,9 @@ cp -rp examples %{buildroot}%{_datadir}/doc/cairomm-%{apiver}/
%changelog %changelog
* Sat Feb 20 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 1.16.0-3
- Verify source with new strong signatures from upstream
* Wed Feb 17 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 1.16.0-2 * Wed Feb 17 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 1.16.0-2
- Working (but weak, dependent on SHA1) source signature verification - Working (but weak, dependent on SHA1) source signature verification
- Tidy up BRs, including dropping make - Tidy up BRs, including dropping make

2
sources
View File

@ -1,2 +1,2 @@
SHA512 (cairomm-1.16.0.tar.xz) = 51929620feeac45377da5d486ea7a091bbd10ad8376fb16525328947b9e6ee740cdc8e8bd190a247b457cc9fec685a829c81de29b26cabaf95383ef04cce80d3 SHA512 (cairomm-1.16.0.tar.xz) = 51929620feeac45377da5d486ea7a091bbd10ad8376fb16525328947b9e6ee740cdc8e8bd190a247b457cc9fec685a829c81de29b26cabaf95383ef04cce80d3
SHA512 (cairomm-1.16.0.tar.xz.sha1.asc) = f26e421b393da03de6874af08dab34e89dda42ccf7a4de91609b78443918aa86968a1a8dd726caaedc0b06eb12433c49f271097fb8c9a0461a06c2db406fa585 SHA512 (cairomm-1.16.0.tar.xz.asc) = ba29497b0a4ba90a33bb47105b96560063617a3830ce2d7ae333c21c62d50fcf29498a05c009d904e58e326035aa74d61333f7720311fd55632a4badcbdf87b9