Verify checksums and GPG signature of source tarball

2021-10-04 23:40:45 -04:00 · 2021-10-04 23:40:45 -04:00 · ce1bd2f711
commit ce1bd2f711
parent 1f52ea7361
3 changed files with 56 additions and 2 deletions
--- a/.gitignore
+++ b/.gitignore
@ -19,3 +19,5 @@
 /git-lfs-v2.12.1.tar.gz
 /git-lfs-v2.13.2.tar.gz
 /git-lfs-v2.13.3.tar.gz
+/sha256sums-2.13.3.asc
+/core-gpg-keys.tar.gz
--- a/git-lfs.spec
+++ b/git-lfs.spec
@ -20,7 +20,11 @@ Summary:        Git extension for versioning large files
 License:        MIT
 URL:            https://git-lfs.github.io/
 Source0:        https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-v%{version}.tar.gz
-Source1:        README.Fedora
+Source1:        https://github.com/git-lfs/git-lfs/releases/download/v%{version}/sha256sums.asc#/sha256sums-%{version}.asc
+Source2:        https://api.github.com/repos/git-lfs/git-lfs/tarball/core-gpg-keys#/core-gpg-keys.tar.gz
+Source3:        README.Fedora
+
+BuildRequires:  gnupg2

 BuildRequires:  golang(github.com/dpotapov/go-spnego)
 BuildRequires:  golang(github.com/git-lfs/gitobj/v2) >= 2
@ -63,8 +67,54 @@ storing the file contents on a remote server.


 %prep
+tar xf %{SOURCE2}
+keyring="$(ls git-lfs-git-lfs-*/keys.asc)"
+
+#
+# Replicate gpgverify, because it requires detached signatures.
+#
+
+fatal_error() {
+    message="$1"  # an error message
+    status=$2     # a number to use as the exit code
+    echo "gpgverify: $message" >&2
+    exit $status
+}
+
+check_status() {
+    action="$1"  # a string that describes the action that was attempted
+    status=$2    # the exit code of the command
+    if test $status -ne 0 ; then
+        fatal_error "$action failed." $status
+    fi
+}
+
+# Make a temporary working directory.
+workdir="$(mktemp --directory)"
+check_status 'Making a temporary directory' $?
+workring="${workdir}/keyring.gpg"
+
+# Decode any ASCII armor on the keyring. This is harmless if the keyring isn't
+# ASCII-armored.
+gpg2 --homedir="${workdir}" --yes --output="${workring}" --dearmor "${keyring}"
+check_status 'Decoding the keyring' $?
+
+# Verify the signature using the decoded keyring.
+gpgv2 --homedir="${workdir}" --keyring="${workring}" "%{SOURCE1}"
+check_status 'Signature verification' $?
+
+# Clean up. (This is not done in case of an error that may need inspection.)
+rm --recursive --force ${workdir}
+
+#
+# END gpgverify.
+#
+
+cd %{_sourcedir}
+sha256sum --check --ignore-missing %{SOURCE1}
+
 %goprep
-cp -p %SOURCE1 .
+cp -p %SOURCE3 .

 # Modify Makefile so that it expects binaries where we build them.
 sed -i -e 's!\.\./bin/!/%{gobuilddir}/bin/!g' t/Makefile
--- a/2
+++ b/2
@ -1 +1,3 @@
 SHA512 (git-lfs-v2.13.3.tar.gz) = 2c9e10e4f2fdb5d6bae8994db5879f50596109f3057e7369a9edca3c13c3f4d77e268e3903a0abca60cf8e342ff54bc4920c01a530f8eb400e3a0cc11a171f74
+SHA512 (sha256sums-2.13.3.asc) = 50a0c2e6e630276321662ffb8b18f04d55ace5ef3a1e00d5dcd7966b03b62eb4a286f2379fb639805be2b4273ab1939e51f789b007508f6e4701225b8b87fe16
+SHA512 (core-gpg-keys.tar.gz) = 59a4507f45a501e6b579ab70ebd650740b7e098b32e16a346d466c7e73da6ab721447fda44663725dd331fca3f53d2892a9421c8f85385a2bbfde18657f37d49