diff --git a/cairomm1.16.spec b/cairomm1.16.spec index ae3fcd1..abb6494 100644 --- a/cairomm1.16.spec +++ b/cairomm1.16.spec @@ -9,35 +9,43 @@ Name: cairomm%{apiver} Summary: C++ API for the cairo graphics library Version: 1.16.0 -Release: 1%{?dist} +Release: 2%{?dist} URL: https://www.cairographics.org License: LGPLv2+ %global src_base https://www.cairographics.org/releases Source0: %{src_base}/cairomm-%{version}.tar.xz -# We cannot verify GPG signatures at this time because there is no published -# keychain or keyserver to get the signing key. (Additionally, the signature is -# over a cryptographically-weak SHA1 checksum.) See -# https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25. -Source1: %{src_base}/cairomm-%{version}.tar.xz.sha1 -Source2: %{src_base}/cairomm-%{version}.tar.xz.sha1.asc -# Source3 reserved for future GPG keyring +# The complete set of authorized GPG signing keys is not published +# (https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/331), and +# the signature is over a cryptographically-weak SHA1 checksum file +# (https://gitlab.freedesktop.org/cairo/cairo/-/issues/458), as initially +# reported in https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25. +# However, we are able to verify the signature (of the weak SHA1 checksum) +# using the key for Kjell Ahlstedt from +# https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/290. +Source1: %{src_base}/cairomm-%{version}.tar.xz.sha1.asc +Source2: https://gitlab.freedesktop.org/freedesktop/freedesktop/uploads/0ac64e9582659f70a719d59fb02cd037/gpg_key.pub -# https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25 -# BuildRequires: gnupg2 +BuildRequires: gnupg2 BuildRequires: gcc-c++ -BuildRequires: make -BuildRequires: pkgconfig - BuildRequires: meson BuildRequires: pkgconfig(cairo) -BuildRequires: pkgconfig(mm-common-libstdc++) BuildRequires: pkgconfig(sigc++-3.0) BuildRequires: pkgconfig(fontconfig) +# Everything mentioned in data/cairomm*.pc.in, except the Quartz and Win32 +# libraries that do not apply to this platform: +BuildRequires: pkgconfig(cairo-ft) +BuildRequires: pkgconfig(cairo-pdf) +BuildRequires: pkgconfig(cairo-png) +BuildRequires: pkgconfig(cairo-ps) +BuildRequires: pkgconfig(cairo-svg) +BuildRequires: pkgconfig(cairo-xlib) +BuildRequires: pkgconfig(cairo-xlib-xrender) + %if %{with maintainer_mode} # mm-common-get BuildRequires: mm-common @@ -50,16 +58,7 @@ BuildRequires: doxygen BuildRequires: graphviz # xsltproc BuildRequires: libxslt - -# Everything mentioned in data/cairomm*.pc.in, except the Quartz and Win32 -# libraries that do not apply to this platform: -BuildRequires: pkgconfig(cairo-ft) -BuildRequires: pkgconfig(cairo-pdf) -BuildRequires: pkgconfig(cairo-png) -BuildRequires: pkgconfig(cairo-ps) -BuildRequires: pkgconfig(cairo-svg) -BuildRequires: pkgconfig(cairo-xlib) -BuildRequires: pkgconfig(cairo-xlib-xrender) +BuildRequires: pkgconfig(mm-common-libstdc++) # For tests: BuildRequires: boost-devel @@ -97,11 +96,26 @@ The API/ABI version series is %{apiver}. %prep # https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25 -pushd "$(dirname %{SOURCE1})" -sha1sum -c "$(basename %{SOURCE1})" +# The .sha1.asc file in %%{SOURCE2} is a signed-but-not-encrypted copy of the +# corresponding .sha1 file; see the description of the --sign option in +# https://access.redhat.com/solutions/1541303. We “decrypt it” using the +# signer’s public key from %%{SOURCE3} to obtain a verified copy of the .sha1 +# file. To do so, we must first import the public key into a keyring; see +# /usr/lib/rpm/redhat/gpgverify, which is the implementation of the %%gpgverify +# macro, although we cannot use that macro due to the unconventional signing +# scheme. +workdir="$(mktemp --directory)" +workring="${workdir}/keyring.gpg" +gpg2 --homedir="${workdir}" --yes --no-default-keyring \ + --keyring "${workring}" --import '%{SOURCE2}' +gpg2 --homedir="${workdir}" --keyring "${workring}" --decrypt '%{SOURCE1}' \ + > "${workdir}/%{name}.sha1" +pushd "${workdir}" +ln -s '%{SOURCE0}' +sha1sum -c %{name}.sha1 popd -# %%{gpgverify} --keyring='%%{SOURCE3}' --signature='%%{SOURCE2}' \ -# --data='%%{SOURCE1}' +rm -rf "${workdir}" + %autosetup -n cairomm-%{version} # We must remove the jQuery/jQueryUI bundle with precompiled/minified/bundled # JavaScript that is in untracked/docs/reference/html/jquery.js, since such @@ -159,6 +173,10 @@ cp -rp examples %{buildroot}%{_datadir}/doc/cairomm-%{apiver}/ %changelog +* Wed Feb 17 2021 Benjamin A. Beasley - 1.16.0-2 +- Working (but weak, dependent on SHA1) source signature verification +- Tidy up BR’s, including dropping make + * Wed Feb 17 2021 Benjamin A. Beasley - 1.16.0-1 - New multi-version cairomm1.16 package to provide the version 1.16 API/ABI; based on the spec file from cairomm-1.14.2-5 diff --git a/gpg_key.pub b/gpg_key.pub new file mode 100644 index 0000000..def31f7 --- /dev/null +++ b/gpg_key.pub @@ -0,0 +1,41 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGNBF9XkQUBDADmaPl0W4LoNnFwUy3aQQgQn2HyuoGO292p/UHdSjgQ+uiVOETU +sGlXUoqMHB2L0G/PM5fBGAdH26EWdkTNoRMVIH1vhcbA6xKCI4AEM06HtU8J7vTw +hKtW9qiYe0Gf5gF0lYFEeyoLaZUKZJmVgcFvs33kxPNkBX8+kSbCDG77cjY1X2M5 +jTR/JFv0IwxAdGBaONyp4pB66qQU8skXKlrNmmc6VvP2Q8D0P6EcDJ3FfUumuTMa +tcWf72jimHKsu3XR6nfH3ghbpxxLD54MSv0vtF/5jJRon1PkASkbo+aAf3w28pKQ +TZnCeD4RcL1f3ijo2VlxMqAcdUOL/c5aRLuzz+iQobl68zsOn2YSg9kpfgmfoOmZ +Uk1XB6R4aJkh6FihZmd+QIrmjIPD3fZPxfyx2SfdAq2o5CURbNfq/enG9DyBfg78 +jgTv6ybISpOmrWjR9i6nAJAkAI5upBgIuKn2VntQKuHzrjNRDSQeMMV+rdgnx2Fz +nkcIjs30U+kz9uMAEQEAAbQoS2plbGwgQWhsc3RlZHQgPGtqZWxsYWhsc3RlZHRA +Z21haWwuY29tPokB1AQTAQoAPhYhBGy0RagWUEcUqkliV566FV/MEtLABQJfV5EF +AhsDBQkDwmcABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEJ66FV/MEtLAa4MM +ALqkWxHC+hXB2yxH/X32nOGdJTZqEsW+gAuOyJ26mOy29ZecaBf83eEBR6BYN22Z +OwLta5bhC75OJt3rxqZZRC1QcFLxDH5n8UkXInu5U7kZkPIyEW8rmtgK4Y3EEetF +AcxT75/OsYL1ssTd/CCbNCe2KLarIwu/mNRN42yZq8nqWN94sfRwCGRltwtEjPiW +OepIBjk4QNaFa2iACCWKyeDX3l6XdWUza7InYYZep+9759Vv3iHOlwOJRQdXE7Gp +RrftCxls/aR/M4pWMHa8Mbev12Gz1+emChCcpyU14ce04mDsefcRiaCPD8kH5LII +fH7YMqFd0KOZZDLZFQRQhLb5zCPlLwgjiDsS7XUhfCCA7HQhWVPV26afbllIB03f +d9m0WCbnrPsKP3LazDVhXLkYRrDNrEzKV8Oy2hKw+BlpmOhgtVIPrHCdYMt+4kzi +f16CFUiim2yTjqa8tDcsiIMPccaqRjjhQJ/KxmQSvMLmZOgkYNaOgO9FQ/pJsnMX +b7kBjQRfV5EFAQwAu2/c0DO1x5gwcXoAlXzx5ONIpSzqOtTHubMaUTV0R6B8yVGs +o2rL5tbTdr5ClIOwc2gvYz/mLsOyikb7fy+EBW7/CrtlPZTFrt5pA19it7I0MK7K +mMu6bDgK14E9LBfJIsNnDEvmPhdMloCMeIxcSldpVu/VG3CbWqVVrCy/PTI22FYx +lM+CIDOgQgG7NeIebvBKAeaWk1lGW0qf/i/mWMTuv+/37okUzjWBXboKhpJ0WzY4 +O2fxgTV1EwQ44jMDiKFbq+hUFRln+hdTCrez4F4xvly2AyNYLciiksCz0LqcMZ2o +x1MHm3P/lWJvPK7r1tQQI+THq/XbWcVRKJPCOiFcEUs1rHxsTprmHVOuAPhWP3kp ++ZhLIqdpvw2B//hiJmJgLIiXHkfRUwmHaIAZrmWTqEjhJc0cZP+F4+0UNabr7Lmd +pl7vBGh+TCwu9EN/SmCvRAc9JdlLOHwpaDxXrjUQ5S9PbwMiw00HwvDjqt7Wsvks +1XVAiiBTddhafZCJABEBAAGJAbwEGAEKACYWIQRstEWoFlBHFKpJYleeuhVfzBLS +wAUCX1eRBQIbDAUJA8JnAAAKCRCeuhVfzBLSwE7aDADlFFoqJFNqxF2jC+jHzTcS +vjpZVk9GTcyRqulVzpH18gLZnN+1abgVOGA0abfE9qV+mRnMmyfrhfB8kGc+VodS +ByRuAktW8n+AlgGN26hk4nEChcf09BHhRZkDbdSEhhZNeqYfTGZIivxx97KgzrC6 +9b9MrSMogzeOMbzLYojiJxsAhFvTgrPeJObRwf71dLFmBvjL7fheTVsaDq/v6EWz +unnNZPRGWwiYnIZkHN8+ZVbumlm2zHAk1EOaCbaVOok24CVzZaOJWhUsoWwdAMuy +hJB4iTy3NzhpgJaU8M6CwSDdZboXLqe4S2Ys74Y7Pf5kOhV/b9C+DD3D7kirwyWS +gsmjKHdTZbNx9NBsDoAIOQiCvg1VqwUBSeqBYPMJOKzvZGRN+CZnoiN+NDoAS1qI +zLEl8udwtXc30yzKbX5Izx3PqaHx7eWJeY8VuF+oynb/hQUdb9VMYFAfP3//Ow2A +8v/f6lrl1xTqdRtpn719bcIDXYCZNPEi6kHk0vU/sH4= +=nxmX +-----END PGP PUBLIC KEY BLOCK----- diff --git a/sources b/sources index 61fa73a..5770293 100644 --- a/sources +++ b/sources @@ -1,3 +1,2 @@ SHA512 (cairomm-1.16.0.tar.xz) = 51929620feeac45377da5d486ea7a091bbd10ad8376fb16525328947b9e6ee740cdc8e8bd190a247b457cc9fec685a829c81de29b26cabaf95383ef04cce80d3 -SHA512 (cairomm-1.16.0.tar.xz.sha1) = 3c33c3fde4857fc2977698e46997c33051814550607c9fb8e024a029ef7b5167d9a5991ef26f716c2df296e2648b1784614ee9ef198b71da4df6dcdefb20c605 SHA512 (cairomm-1.16.0.tar.xz.sha1.asc) = f26e421b393da03de6874af08dab34e89dda42ccf7a4de91609b78443918aa86968a1a8dd726caaedc0b06eb12433c49f271097fb8c9a0461a06c2db406fa585