gpgverify source tarball

.gitignore

@@ -1 +1,3 @@
 /file-5.*.tar.gz
+/christoskey.asc
+/file-5.41.tar.gz.asc

file.spec

@@ -15,9 +15,12 @@
 Summary: Utility for determining file types
 Name: file
 Version: 5.41
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: BSD
 Source0: http://ftp.astron.com/pub/file/file-%{version}.tar.gz
+Source1: http://ftp.astron.com/pub/file/file-%{version}.tar.gz.asc
+# Key is from: https://github.com/file/file/commit/4cf8a0864a7fa654ee53ebc042e9a4ee8ccacd22
+Source2: christoskey.asc
 
 # Upstream says it's up to distributions to add a way to support local-magic.
 Patch0: file-localmagic.patch
@@ -42,6 +45,7 @@ BuildRequires: autoconf
 BuildRequires: automake
 BuildRequires: libtool
 BuildRequires: make
+BuildRequires: gnupg2
 
 %description
 The file command is used to identify a particular file according to the
@@ -105,6 +109,7 @@ file(1) command.
 %endif
 
 %prep
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %autosetup -p1
 
 iconv -f iso-8859-1 -t utf-8 < doc/libmagic.man > doc/libmagic.man_
@@ -217,6 +222,9 @@ make -C tests check
 %endif
 
 %changelog
+* Wed Mar 02 2022 Vincent Mihalkovic <vmihalko@redhat.com> - 5.41-5
+- gpgverify source tarball
+
 * Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.41-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
 

sources

@@ -1 +1,3 @@
+SHA512 (christoskey.asc) = 952323eb3c0cd3ae1b6c059e301b176fd60b61c76789b96c800a995253bd8dd88182617a2358fbe09b9571cd642fd4098dd0d91152a6347669324d79b12f94ee
+SHA512 (file-5.41.tar.gz.asc) = fc342ed92efde3f0400f61acd35d8f2d793788f3a2b8a53fbe9255dc04a036fa16b33294c184630b62471d825d5304a5c6580fcde654eea01b02e57dfbd50632
 SHA512 (file-5.41.tar.gz) = bbf2d8e39450b31d0ba8d76d202790fea953775657f942f06e6dc9091798d4a395f7205e542388e4a25b6a4506d07f36c5c4da37cfce0734133e9203a3b00654