From e5bc5820e4c59c10f875b0089b44f8409b4c3037 Mon Sep 17 00:00:00 2001 From: Omair Majid Date: Tue, 12 Dec 2023 14:58:09 -0500 Subject: [PATCH] Enable gpg signature verification --- .gitignore | 1 + dotnet8.0.spec | 13 ++++++++++++- release-key-2023.asc | 29 +++++++++++++++++++++++++++++ sources | 1 + 4 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 release-key-2023.asc diff --git a/.gitignore b/.gitignore index dadb3bf..2ec23a9 100644 --- a/.gitignore +++ b/.gitignore @@ -31,3 +31,4 @@ /dotnet-prebuilts-8.0.100-rc.1.23410.12-s390x.tar.gz /dotnet-v8.0.0-rc.2.23479.6.tar.gz /dotnet-8.0.0.tar.gz +/dotnet-8.0.0.tar.gz.sig diff --git a/dotnet8.0.spec b/dotnet8.0.spec index 250191a..7f73eed 100644 --- a/dotnet8.0.spec +++ b/dotnet8.0.spec @@ -54,7 +54,7 @@ Name: dotnet%{dotnetver} Version: %{sdk_rpm_version} -Release: 1%{?dist} +Release: 2%{?dist} Summary: .NET Runtime and SDK License: 0BSD AND Apache-2.0 AND (Apache-2.0 WITH LLVM-exception) AND APSL-2.0 AND BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND BSL-1.0 AND bzip2-1.0.6 AND CC0-1.0 AND CC-BY-3.0 AND CC-BY-4.0 AND CC-PDDC AND CNRI-Python AND EPL-1.0 AND GPL-2.0-only AND (GPL-2.0-only WITH GCC-exception-2.0) AND GPL-2.0-or-later AND GPL-3.0-only AND ICU AND ISC AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-Fedora-Public-Domain AND LicenseRef-ISO-8879 AND MIT AND MIT-Wu AND MS-PL AND MS-RL AND NCSA AND OFL-1.1 AND OpenSSL AND Unicode-DFS-2015 AND Unicode-DFS-2016 AND W3C-19980720 AND X11 AND Zlib @@ -74,6 +74,8 @@ Source2: dotnet-prebuilts-%{bootstrap_sdk_version}-ppc64le.tar.gz Source3: dotnet-prebuilts-%{bootstrap_sdk_version}-s390x.tar.gz %else Source0: https://github.com/dotnet/dotnet/archive/refs/tags/%{upstream_tag}.tar.gz#/dotnet-%{upstream_tag_without_v}.tar.gz +Source1: https://github.com/dotnet/dotnet/releases/download/%{upstream_tag}/dotnet-%{upstream_tag_without_v}.tar.gz.sig +Source2: https://dotnet.microsoft.com/download/dotnet/release-key-2023.asc %endif Source5: https://github.com/dotnet/dotnet/releases/download/%{upstream_tag}/release.json @@ -99,6 +101,7 @@ BuildRequires: dotnet-sdk-%{dotnetver}-source-built-artifacts BuildRequires: findutils BuildRequires: git BuildRequires: glibc-langpack-en +BuildRequires: gnupg2 BuildRequires: hostname BuildRequires: krb5-devel BuildRequires: libicu-devel @@ -355,6 +358,11 @@ These are not meant for general use. %prep +%if %{without bootstrap} +# check gpg signatures only for non-bootstrap builds; bootstrap "sources" are hand-crafted +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' +%endif + release_json_tag=$(grep tag %{SOURCE5} | cut -d: -f2 | sed -E 's/[," ]*//g') if [[ ${release_json_tag} != %{upstream_tag} ]]; then echo "error: tag in release.json doesn't match tag in spec file" @@ -647,6 +655,9 @@ export COMPlus_LTTng=0 %changelog +* Tue Dec 12 2023 Omair Majid - 8.0.100-2 +- Enable gpg signature verification + * Sat Dec 09 2023 Omair Majid - 8.0.100-1 - Update to .NET SDK 8.0.100 and Runtime 8.0.0 diff --git a/release-key-2023.asc b/release-key-2023.asc new file mode 100644 index 0000000..96844b6 --- /dev/null +++ b/release-key-2023.asc @@ -0,0 +1,29 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: BSN Pgp v1.1.0.0 + +mQINBGUKsUYBEADVCJm4EhXALr1ld42kWeh/vM0XMZ2orNT6NRLDRYjpE4mm4UqA +vpjfGCwt5fLcrT4yZng8ABkB3QwTsZzmxesAMD5AZR/gdU1G96DuDGsjp6zJvTuX +zvz3PXUYfcl9n5X32acA6N9J5Xfp10xqX3oitUODBdYy/vKW/v/y87ZxgaR6a3wp +pPJBJIVKwFJx13v4BHRsGp1fepliQcXPvmNKFNI20le5+FbLq6C9hY5wcwGHGfQr +EokH79GsmqgSImqxDOIh06J5VfWA+JwV+3vf95pD8IUrRfGQ+GK7b1/bySxtM5Qa +b/IDgvl/Qq3AzEpGarMBaqGbqMz1C7jd8Y6nyKMP/V+OCjbEdYNM8GRz6kBP3Un+ +Frat5Lc2o4DF+zB3PKIJS3hku5gwlJu6IU1F23vmYFtjUcpRGmyQZDoWyBbOWlB5 +4SXqVu16amUsRFYmOK8BJMjdotcVbriVIv6WRmugfhIMoRJzVGxYkdbuiuMAX69V +xDoGpxX5A8S5A79y0USUVtadQfFavMTyb/gUuUe8oDsqK9gdI3ETxLYG4gYwauVX +fCGfoLOKsq5dPzEuEA7GCRrMau+rHKFaM7BigSdnHFW7xNZ4v0YnXAagoqM2G5o5 +9sak0l57vxxTVk2V3iZzkoU2J2Zlyxyh72n5vjRmb7aNwmQh4Eav6a8ssQARAQAB +tBlvbm54Y29yZWRldkBtaWNyb3NvZnQuY29tiQI4BBMBCAAiBQJlCrFGAhsDBgsJ +CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRD9v1PCTbSHLtfzEADIKq15XDeQxLSo +BG1aFa9n82K1YADVcu1LeddfhDmQWLnZNgyHtQlKN2n59282CXtgymzae3uc05s2 +feIJaqF4M4NnCX8Ct3K7Hq1jI7ZktlquPCCy9XHq9aQY8XTxmdtRevtclKgYTwDh +w+D/KbE8vTZ6o7JoubA3MKf4k3S8qL/0rIyaC6h0EpiWoMy1TdNMMK7BT4kl6Vz4 +W6KmNgOux1Pzku5ULM4WuOzmwW+NAzpOLJowfDs1ZC2RM3+g9i1/DmwWtCHngvGD ++clA0I0agXxo05toOBTfwxd2gWYczuo/Ole16fYTzqT6n0DHqOjjcc9A7EmC72fQ +J+hHAqM+4+CbEGuMpNnTMpCZs98bcK3Rqx/bDJYtbclZzm5O/V4nVbDrJZKzpgA1 +KuzNMLkr62P6/t15UsStgmrlTILmE5NG0CR1mj/46+mNbsMZCel3dcvnT1Zf4rTq +QxMC7Dd/DECKQVC339G/BRfNyhOk2S1mZR/g1uS4bznL+tiwudDh/TAi5C3ZBDMh +0muwD9caXS/QFIBWtb2ai3IcpU357R/ERPKLcWYtoYJ80RuKi6XYr1WxSPBmd5Qm +wuncye+wR2dveo2jnIXZGUSgz50ZNgBxs/cYWAQ8J6KMgIBa+JY2qalzvIGbrC5x +Sr+CkhS8vrktfnRgc8yBssJnvNfqXA== +=pKgS +-----END PGP PUBLIC KEY BLOCK----- diff --git a/sources b/sources index c0be6ee..83a94e6 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ SHA512 (dotnet-8.0.0.tar.gz) = 094265462d66d97b51ebfbe5fb06d4a679b97881f1f5a07a87a282a96eeaabfe97ca42061d59aac71dd8861c07f07dda16a72e29ae03167407e51d3fd2767562 +SHA512 (dotnet-8.0.0.tar.gz.sig) = 22f6f84cc42fa97aa7caaf9f14976a29764ec10bc2dadba3bce909cc408610697bdf1fe0d659db9f61c56260142037829a720e9cf0f66cd2af4a7b75c35b6d7e