Working (but weak, dependent on SHA1) source signature verification; tidy up BR’s, including dropping make

cairomm1.16.spec

@@ -9,35 +9,43 @@
 Name:           cairomm%{apiver}
 Summary:        C++ API for the cairo graphics library
 Version:        1.16.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 
 URL:            https://www.cairographics.org
 License:        LGPLv2+
 
 %global src_base https://www.cairographics.org/releases
 Source0:        %{src_base}/cairomm-%{version}.tar.xz
-# We cannot verify GPG signatures at this time because there is no published
-# keychain or keyserver to get the signing key. (Additionally, the signature is
-# over a cryptographically-weak SHA1 checksum.) See
-# https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25.
-Source1:        %{src_base}/cairomm-%{version}.tar.xz.sha1
-Source2:        %{src_base}/cairomm-%{version}.tar.xz.sha1.asc
-# Source3 reserved for future GPG keyring
+# The complete set of authorized GPG signing keys is not published
+# (https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/331), and
+# the signature is over a cryptographically-weak SHA1 checksum file
+# (https://gitlab.freedesktop.org/cairo/cairo/-/issues/458), as initially
+# reported in https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25.
+# However, we are able to verify the signature (of the weak SHA1 checksum)
+# using the key for Kjell Ahlstedt from
+# https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/290.
+Source1:        %{src_base}/cairomm-%{version}.tar.xz.sha1.asc
+Source2:        https://gitlab.freedesktop.org/freedesktop/freedesktop/uploads/0ac64e9582659f70a719d59fb02cd037/gpg_key.pub
 
-# https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25
-# BuildRequires:  gnupg2
+BuildRequires:  gnupg2
 
 BuildRequires:  gcc-c++
-BuildRequires:  make
-BuildRequires:  pkgconfig
-
 BuildRequires:  meson
 
 BuildRequires:  pkgconfig(cairo)
-BuildRequires:  pkgconfig(mm-common-libstdc++)
 BuildRequires:  pkgconfig(sigc++-3.0)
 BuildRequires:  pkgconfig(fontconfig)
 
+# Everything mentioned in data/cairomm*.pc.in, except the Quartz and Win32
+# libraries that do not apply to this platform:
+BuildRequires:  pkgconfig(cairo-ft)
+BuildRequires:  pkgconfig(cairo-pdf)
+BuildRequires:  pkgconfig(cairo-png)
+BuildRequires:  pkgconfig(cairo-ps)
+BuildRequires:  pkgconfig(cairo-svg)
+BuildRequires:  pkgconfig(cairo-xlib)
+BuildRequires:  pkgconfig(cairo-xlib-xrender)
+
 %if %{with maintainer_mode}
 # mm-common-get
 BuildRequires:  mm-common
@@ -50,16 +58,7 @@ BuildRequires:  doxygen
 BuildRequires:  graphviz
 # xsltproc
 BuildRequires:  libxslt
-
-# Everything mentioned in data/cairomm*.pc.in, except the Quartz and Win32
-# libraries that do not apply to this platform:
-BuildRequires:  pkgconfig(cairo-ft)
-BuildRequires:  pkgconfig(cairo-pdf)
-BuildRequires:  pkgconfig(cairo-png)
-BuildRequires:  pkgconfig(cairo-ps)
-BuildRequires:  pkgconfig(cairo-svg)
-BuildRequires:  pkgconfig(cairo-xlib)
-BuildRequires:  pkgconfig(cairo-xlib-xrender)
+BuildRequires:  pkgconfig(mm-common-libstdc++)
 
 # For tests:
 BuildRequires:  boost-devel
@@ -97,11 +96,26 @@ The API/ABI version series is %{apiver}.
 
 %prep
 # https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25
-pushd "$(dirname %{SOURCE1})"
-sha1sum -c "$(basename %{SOURCE1})"
+# The .sha1.asc file in %%{SOURCE2} is a signed-but-not-encrypted copy of the
+# corresponding .sha1 file; see the description of the --sign option in
+# https://access.redhat.com/solutions/1541303. We “decrypt it” using the
+# signer’s public key from %%{SOURCE3} to obtain a verified copy of the .sha1
+# file. To do so, we must first import the public key into a keyring; see
+# /usr/lib/rpm/redhat/gpgverify, which is the implementation of the %%gpgverify
+# macro, although we cannot use that macro due to the unconventional signing
+# scheme.
+workdir="$(mktemp --directory)"
+workring="${workdir}/keyring.gpg"
+gpg2 --homedir="${workdir}" --yes --no-default-keyring \
+    --keyring "${workring}" --import '%{SOURCE2}'
+gpg2 --homedir="${workdir}" --keyring "${workring}" --decrypt '%{SOURCE1}' \
+    > "${workdir}/%{name}.sha1"
+pushd "${workdir}"
+ln -s '%{SOURCE0}'
+sha1sum -c %{name}.sha1
 popd
-# %%{gpgverify} --keyring='%%{SOURCE3}' --signature='%%{SOURCE2}' \
-#   --data='%%{SOURCE1}'
+rm -rf "${workdir}"
+
 %autosetup -n cairomm-%{version}
 # We must remove the jQuery/jQueryUI bundle with precompiled/minified/bundled
 # JavaScript that is in untracked/docs/reference/html/jquery.js, since such
@@ -159,6 +173,10 @@ cp -rp examples %{buildroot}%{_datadir}/doc/cairomm-%{apiver}/
 
 
 %changelog
+* Wed Feb 17 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 1.16.0-2
+- Working (but weak, dependent on SHA1) source signature verification
+- Tidy up BR’s, including dropping make
+
 * Wed Feb 17 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 1.16.0-1
 - New multi-version cairomm1.16 package to provide the version 1.16 API/ABI;
   based on the spec file from cairomm-1.14.2-5

gpg_key.pub

@@ -0,0 +1,41 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBF9XkQUBDADmaPl0W4LoNnFwUy3aQQgQn2HyuoGO292p/UHdSjgQ+uiVOETU
+sGlXUoqMHB2L0G/PM5fBGAdH26EWdkTNoRMVIH1vhcbA6xKCI4AEM06HtU8J7vTw
+hKtW9qiYe0Gf5gF0lYFEeyoLaZUKZJmVgcFvs33kxPNkBX8+kSbCDG77cjY1X2M5
+jTR/JFv0IwxAdGBaONyp4pB66qQU8skXKlrNmmc6VvP2Q8D0P6EcDJ3FfUumuTMa
+tcWf72jimHKsu3XR6nfH3ghbpxxLD54MSv0vtF/5jJRon1PkASkbo+aAf3w28pKQ
+TZnCeD4RcL1f3ijo2VlxMqAcdUOL/c5aRLuzz+iQobl68zsOn2YSg9kpfgmfoOmZ
+Uk1XB6R4aJkh6FihZmd+QIrmjIPD3fZPxfyx2SfdAq2o5CURbNfq/enG9DyBfg78
+jgTv6ybISpOmrWjR9i6nAJAkAI5upBgIuKn2VntQKuHzrjNRDSQeMMV+rdgnx2Fz
+nkcIjs30U+kz9uMAEQEAAbQoS2plbGwgQWhsc3RlZHQgPGtqZWxsYWhsc3RlZHRA
+Z21haWwuY29tPokB1AQTAQoAPhYhBGy0RagWUEcUqkliV566FV/MEtLABQJfV5EF
+AhsDBQkDwmcABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEJ66FV/MEtLAa4MM
+ALqkWxHC+hXB2yxH/X32nOGdJTZqEsW+gAuOyJ26mOy29ZecaBf83eEBR6BYN22Z
+OwLta5bhC75OJt3rxqZZRC1QcFLxDH5n8UkXInu5U7kZkPIyEW8rmtgK4Y3EEetF
+AcxT75/OsYL1ssTd/CCbNCe2KLarIwu/mNRN42yZq8nqWN94sfRwCGRltwtEjPiW
+OepIBjk4QNaFa2iACCWKyeDX3l6XdWUza7InYYZep+9759Vv3iHOlwOJRQdXE7Gp
+RrftCxls/aR/M4pWMHa8Mbev12Gz1+emChCcpyU14ce04mDsefcRiaCPD8kH5LII
+fH7YMqFd0KOZZDLZFQRQhLb5zCPlLwgjiDsS7XUhfCCA7HQhWVPV26afbllIB03f
+d9m0WCbnrPsKP3LazDVhXLkYRrDNrEzKV8Oy2hKw+BlpmOhgtVIPrHCdYMt+4kzi
+f16CFUiim2yTjqa8tDcsiIMPccaqRjjhQJ/KxmQSvMLmZOgkYNaOgO9FQ/pJsnMX
+b7kBjQRfV5EFAQwAu2/c0DO1x5gwcXoAlXzx5ONIpSzqOtTHubMaUTV0R6B8yVGs
+o2rL5tbTdr5ClIOwc2gvYz/mLsOyikb7fy+EBW7/CrtlPZTFrt5pA19it7I0MK7K
+mMu6bDgK14E9LBfJIsNnDEvmPhdMloCMeIxcSldpVu/VG3CbWqVVrCy/PTI22FYx
+lM+CIDOgQgG7NeIebvBKAeaWk1lGW0qf/i/mWMTuv+/37okUzjWBXboKhpJ0WzY4
+O2fxgTV1EwQ44jMDiKFbq+hUFRln+hdTCrez4F4xvly2AyNYLciiksCz0LqcMZ2o
+x1MHm3P/lWJvPK7r1tQQI+THq/XbWcVRKJPCOiFcEUs1rHxsTprmHVOuAPhWP3kp
++ZhLIqdpvw2B//hiJmJgLIiXHkfRUwmHaIAZrmWTqEjhJc0cZP+F4+0UNabr7Lmd
+pl7vBGh+TCwu9EN/SmCvRAc9JdlLOHwpaDxXrjUQ5S9PbwMiw00HwvDjqt7Wsvks
+1XVAiiBTddhafZCJABEBAAGJAbwEGAEKACYWIQRstEWoFlBHFKpJYleeuhVfzBLS
+wAUCX1eRBQIbDAUJA8JnAAAKCRCeuhVfzBLSwE7aDADlFFoqJFNqxF2jC+jHzTcS
+vjpZVk9GTcyRqulVzpH18gLZnN+1abgVOGA0abfE9qV+mRnMmyfrhfB8kGc+VodS
+ByRuAktW8n+AlgGN26hk4nEChcf09BHhRZkDbdSEhhZNeqYfTGZIivxx97KgzrC6
+9b9MrSMogzeOMbzLYojiJxsAhFvTgrPeJObRwf71dLFmBvjL7fheTVsaDq/v6EWz
+unnNZPRGWwiYnIZkHN8+ZVbumlm2zHAk1EOaCbaVOok24CVzZaOJWhUsoWwdAMuy
+hJB4iTy3NzhpgJaU8M6CwSDdZboXLqe4S2Ys74Y7Pf5kOhV/b9C+DD3D7kirwyWS
+gsmjKHdTZbNx9NBsDoAIOQiCvg1VqwUBSeqBYPMJOKzvZGRN+CZnoiN+NDoAS1qI
+zLEl8udwtXc30yzKbX5Izx3PqaHx7eWJeY8VuF+oynb/hQUdb9VMYFAfP3//Ow2A
+8v/f6lrl1xTqdRtpn719bcIDXYCZNPEi6kHk0vU/sH4=
+=nxmX
+-----END PGP PUBLIC KEY BLOCK-----

sources

@@ -1,3 +1,2 @@
 SHA512 (cairomm-1.16.0.tar.xz) = 51929620feeac45377da5d486ea7a091bbd10ad8376fb16525328947b9e6ee740cdc8e8bd190a247b457cc9fec685a829c81de29b26cabaf95383ef04cce80d3
-SHA512 (cairomm-1.16.0.tar.xz.sha1) = 3c33c3fde4857fc2977698e46997c33051814550607c9fb8e024a029ef7b5167d9a5991ef26f716c2df296e2648b1784614ee9ef198b71da4df6dcdefb20c605
 SHA512 (cairomm-1.16.0.tar.xz.sha1.asc) = f26e421b393da03de6874af08dab34e89dda42ccf7a4de91609b78443918aa86968a1a8dd726caaedc0b06eb12433c49f271097fb8c9a0461a06c2db406fa585