From a67fc62cde3c572910d19e88492c29054e11c1bf Mon Sep 17 00:00:00 2001
From: Peter Lemenkov <lemenkov@gmail.com>
Date: Sat, 21 Oct 2023 01:32:27 +0200
Subject: [PATCH] Check GPG signature

Signed-off-by: Peter Lemenkov <lemenkov@gmail.com>
---
 ED31791B2C5C1613AF388B8AD113FCAC3C4E599F.gpg | Bin 0 -> 2291 bytes
 fuse-sshfs.spec                              |  20 ++++++++++++++++++-
 2 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 ED31791B2C5C1613AF388B8AD113FCAC3C4E599F.gpg

diff --git a/ED31791B2C5C1613AF388B8AD113FCAC3C4E599F.gpg b/ED31791B2C5C1613AF388B8AD113FCAC3C4E599F.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..eeac4bf836b4567e5b2319dc3107f3cb11ea7ce4
GIT binary patch
literal 2291
zcmb8vcRUmh1IO_jI3uHTNJq{}Bsw$a>~(VHh0Zv8T*%p_WL&b#j57<7QT9j=&I*wg
zUCE9sxs0xiB+u`8p4ad7JpVp_eqOKdpWoM;0^(-DN!<Je<O96-v%69yw&#k<kM?4F
zvgoP$J;o!HYQn$;sR3m@SEaD+K~V)k{dYC~^hZ0Xbk;qL5dm9qcttb9XY?!_LO$29
z{gy8bCJ&m=Ntxr1@v}edRn`>?A))a})D1WsQ$Jykm6ci@q@gL1$|tUN;1jZwO$3ub
zv;I*<yVdz2XNC7uAO7g}={*G5W?<X%+B$|G_dajf&gF0((IBDuNdgDz@4Sp$x8gLU
zUe&DH<A|W}FN=N8(Fj55mYKvktw0M|(+JFk_qudcxx||tQw1wrXnV2rEN!$)(1Eda
zHoe8I(lftIt_UwnLOTv}!_PM~N0qLSS<4$wA&9b!se^T13l9TH4(kLns+d<oO*3SI
zmn83vZg&+?cMZ3@Go3LSwyP3Dh9bbbV}=SVXS2GqH$xsa&(HKTuHWk^iCIfIU-|=7
zIv?-xJOXTXF^}ss*9GeP&jJErOO%Whcd;MqB%K3aET#oR<SBMTy23x8lasG(pfxJ}
zX1g86I^@3RwY3HQH1`%p6@Df3fz}Um)!gxA8%Rhb&}#P~J=;1ulfJqKd~UX&3b$O5
z|6MZwX*{0iG4g@g;ftq^bg%2xk3NLW{!|3bHeKYaUx<5H?^>8DG5?~U?P%#_YKG<1
zz;KAqv+`!*saozcnc}OET4vkG<1-E90XKypz)2tg*eq^A^b7QN3kyNmxP|&6(0`|H
z@L#DA80@2+1af2H2XX?;SV8}Kj^t_I&`=UeQ86MSLgDX`q7TW36zEU%xT)Y98sHCt
zgIPJCqhJ6l7Y928%qqai!Oq1h2m%8Epff;_Pz->RgKv`mcP-iiU$TCK5Ae3DXPUKC
z&O)tR!dPkhsG<uL?OsVv@tz9{!iGATXTnw#ccr1^GdWNA9@(CID^a=LB<`l^&k-s9
zv=mN<SJ41{Y5O(_A`c7Z#swR7wl_Q4WPG6P8<Tf5@Ls46e7O5s6R}yJe3WJ+?-LNW
zlq35EkX~{Bjk|5<K_SC~2H(@oVAMVBw>()cU(L1rRXRA&y3R0|H2X6)dvD;Dt31E&
zjUCw@MQf2rH&HdF3rtMko&8Ll4lEUl5k$OEUNLe!NssK+7Fr(LH<l15Y0HwMUauk#
z)^;Jyy5Dzr3p{U*ginkP5!kMOpAWN!8bYshw45q0qV;i!(YHT9uvJJhAx4!RRGwXW
zh{VYcdsJC(fQ`3%Y_x4f6G`1)v{i&8+4n?l?AN5_m0MIpKCTHs5|!6FJ;~L{eYNbf
z4#`TjOE4+Gw4o4WR+oP+O4(PBa87rNhp%v1Kv_-CU;s%$e0M#DfnaYVA~Jqbl&VMd
zF#D!&YwnuJ$FJ=L$4jPE9A0n5RJyT#s=v!bJkv_iz-_P)fdu;J?$@H8+dY0`!rCkv
z#o2TUn|uObFlnsz=9Br%<UWn+rq;;&4%i*dKaMO9E_z8Sh#DQX2$NyUxIJE#1fwik
z&olmOf~Fq%=W~8Hmdf4!lpMM9zMqZR){qse-!)-;@wE7h|FT5wehS1I6RFw3Gsv_l
znVRL-$CIb*ZOAAtn0=|$?Vj63O6E?+2qs*DA@HhM=!aCN%rZKs$U4@{Z`LH@(ji}+
zIofdOGonVCAXj9P@QkE)?{iMOu3GbMXz2y`9w|0s=7##aX%@dYs*zCR5o06a`IoBm
z!$(O?8|^>Zn~<rsunxh!fSD%R#}e?&ef;~^TlyF(%Bd1jz0^-_VG}pEx>Me|E|m8a
zULpBvr+~s{*)jPoG4p2+o%3c`U!V-enI=%x-b=6$5ba};19xAJZk%c*22|Uv-}V0p
z=vQJW>7C6OEhsjjUXQV&Zt{qk%=9vt^A4X+Jc#ihgbibH7nY@ZbuMJJEB-<n%NPZn
z9<RTbd-a&7ZOo@EIz4Wc+xUE%ipq%hG1orUoCUdP+pZNmOR2+%c>#NLW7WO|Eu!``
z$D2kYTm$Mobkd(jSYH&r!%n%(W}}hL!+N@4eX_L()sV7*Q#W<HJT3hbWxn|K8nVt@
zYM=Q=KrOTlXJmV9HXVMKH3h!F(8B5&$@Kc`61<0g8-SKGFDq55<t|P#Yi?{8(8{ei
zOsO;5Ll`dJl~(Q%+z_Ghrpcz9>ex#<i1}ENz?{q9{6oZzgx=Z{bjmNQI2@?P59X>&
zJ8({RJm3p%2PL}<7fTt)>g0-~0$)0d*ym+M{hOsEkSWWlzsynof6O`YA9McK7B(91
zarhKLb1C)e@8Cj_Nz%0iHN-#y0)(P1)hK#jR&RPvi;NBJ$A-*JyVvhSWoVIi>`JGX
zsQSry65v9KLVFl7(d`^*jpk?{XpQ6me`}ByT7_~Q-S2BPpnbELXu)Wq|A>A|<Z%#k
zR`)iR@tTMW)Or`p+B{QM`_5%(z|q-qoDw&6#WIa~DJP9yoV1OR2^^vFj!mOK%oHFN
zp9DM;zT_g&R)zn#FeMV^Xzgc1&9N+DyeJq@O6Mcq;qNYjW<@_b?)um()UDx;ABw})
zlhSf}?GC`|b%ENHKBqO`+;^Q>;YbS0{F1{_o1KpMJ=n{>#2Nh7VY%4WMq@Z7U)gpI
z5#<^AC4!bG)#Zq*LFm68&M;6r5mYo1)qSR$D*n~Q(7I}Rfnh_MbdUdss(AYoO~`hR
zY2-PfXi|*GtwiksTTTDwUrcvew{6phamsg5P9nw@;#e^t6~G-{?b6BR|Bdg<)k5ep
z|5s<jRraz>ebwvd*VjIhb^L&&f$8Q^)L_p-2x`>r#jli4F#l%?#5Kr*O&j;6dr&^Y
z!HI?-BPPV^c!iY9(bT(%1!7zBQ#Os?m0E0v37*v)E*{?rR8_Gl8^h&bC+F-h4N&G;
vipF=hS39p=);i3sK)7(O9bxUDc1b?P&V{9fAV0+t#*vU+p;`J?3D-XX8z(+j

literal 0
HcmV?d00001

diff --git a/fuse-sshfs.spec b/fuse-sshfs.spec
index f4b3c5c..d520810 100644
--- a/fuse-sshfs.spec
+++ b/fuse-sshfs.spec
@@ -1,11 +1,24 @@
 Name:           fuse-sshfs
 Version:        3.7.3
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        FUSE-Filesystem to access remote filesystems via SSH
 License:        GPLv2
 URL:            https://github.com/libfuse/sshfs
 Source0:        https://github.com/libfuse/sshfs/releases/download/sshfs-%{version}/sshfs-%{version}.tar.xz
 Source1:        https://github.com/libfuse/sshfs/releases/download/sshfs-%{version}/sshfs-%{version}.tar.xz.asc
+# Find which key was used for signing the release:
+#
+# $ LANG=C gpg --verify sshfs-3.7.3.tar.xz.asc sshfs-3.7.3.tar.xz
+# gpg: Signature made Thu May 26 15:23:53 2022 CEST
+# gpg:                using RSA key ED31791B2C5C1613AF388B8AD113FCAC3C4E599F
+# gpg: Can't check signature: No public key
+#
+# Now export the key required as follows:
+#
+# gpg --no-default-keyring --keyring ./keyring.gpg --keyserver keyserver.ubuntu.com --recv-key ED31791B2C5C1613AF388B8AD113FCAC3C4E599F
+# gpg --no-default-keyring --keyring ./keyring.gpg  --output ED31791B2C5C1613AF388B8AD113FCAC3C4E599F.gpg --export
+Source2:	ED31791B2C5C1613AF388B8AD113FCAC3C4E599F.gpg
+
 Patch1:         sshfs-0001-Refer-to-mount.fuse3-instead-of-mount.fuse.patch
 
 Provides:       sshfs = %{version}-%{release}
@@ -13,6 +26,7 @@ Requires:       fuse3 >= 3.1.0
 Requires:       openssh-clients
 
 BuildRequires:  gcc
+BuildRequires:  gnupg2
 BuildRequires:  meson
 BuildRequires:  fuse3-devel >= 3.1.0
 BuildRequires:  glib2-devel >= 2.0
@@ -32,6 +46,7 @@ mounting the filesystem is as easy as logging into the server with ssh.
 
 
 %prep
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %autosetup -p1 -n sshfs-%{version}
 # fix tests
 sed -i "s/'fusermount'/'fusermount3'/g" test/util.py
@@ -61,6 +76,9 @@ python3 -m pytest test/
 
 
 %changelog
+* Sat Oct 21 2023 Peter Lemenkov <lemenkov@gmail.com> - 3.7.3-5
+- Check GPG signature
+
 * Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.3-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild