rpms/git-lfs
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Verify checksums and GPG signature of source tarball

Browse Source
This commit is contained in:
Elliott Sales de Andrade 2021-10-04 23:40:45 -04:00
parent 1f52ea7361
commit ce1bd2f711
3 changed files with 56 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -19,3 +19,5 @@
/git-lfs-v2.12.1.tar.gz /git-lfs-v2.12.1.tar.gz
/git-lfs-v2.13.2.tar.gz /git-lfs-v2.13.2.tar.gz
/git-lfs-v2.13.3.tar.gz /git-lfs-v2.13.3.tar.gz
/sha256sums-2.13.3.asc
/core-gpg-keys.tar.gz

54
git-lfs.spec
View File

@ -20,7 +20,11 @@ Summary: Git extension for versioning large files
License: MIT License: MIT
URL: https://git-lfs.github.io/ URL: https://git-lfs.github.io/
Source0: https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-v%{version}.tar.gz Source0: https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-v%{version}.tar.gz
Source1: README.Fedora Source1: https://github.com/git-lfs/git-lfs/releases/download/v%{version}/sha256sums.asc#/sha256sums-%{version}.asc
Source2: https://api.github.com/repos/git-lfs/git-lfs/tarball/core-gpg-keys#/core-gpg-keys.tar.gz
Source3: README.Fedora
BuildRequires: gnupg2
BuildRequires: golang(github.com/dpotapov/go-spnego) BuildRequires: golang(github.com/dpotapov/go-spnego)
BuildRequires: golang(github.com/git-lfs/gitobj/v2) >= 2 BuildRequires: golang(github.com/git-lfs/gitobj/v2) >= 2
@ -63,8 +67,54 @@ storing the file contents on a remote server.
%prep %prep
tar xf %{SOURCE2}
keyring="$(ls git-lfs-git-lfs-*/keys.asc)"
#
# Replicate gpgverify, because it requires detached signatures.
#
fatal_error() {
message="$1" # an error message
status=$2 # a number to use as the exit code
echo "gpgverify: $message" >&2
exit $status
}
check_status() {
action="$1" # a string that describes the action that was attempted
status=$2 # the exit code of the command
if test $status -ne 0 ; then
fatal_error "$action failed." $status
fi
}
# Make a temporary working directory.
workdir="$(mktemp --directory)"
check_status 'Making a temporary directory' $?
workring="${workdir}/keyring.gpg"
# Decode any ASCII armor on the keyring. This is harmless if the keyring isn't
# ASCII-armored.
gpg2 --homedir="${workdir}" --yes --output="${workring}" --dearmor "${keyring}"
check_status 'Decoding the keyring' $?
# Verify the signature using the decoded keyring.
gpgv2 --homedir="${workdir}" --keyring="${workring}" "%{SOURCE1}"
check_status 'Signature verification' $?
# Clean up. (This is not done in case of an error that may need inspection.)
rm --recursive --force ${workdir}
#
# END gpgverify.
#
cd %{_sourcedir}
sha256sum --check --ignore-missing %{SOURCE1}
%goprep %goprep
cp -p %SOURCE1 . cp -p %SOURCE3 .
# Modify Makefile so that it expects binaries where we build them. # Modify Makefile so that it expects binaries where we build them.
sed -i -e 's!\.\./bin/!/%{gobuilddir}/bin/!g' t/Makefile sed -i -e 's!\.\./bin/!/%{gobuilddir}/bin/!g' t/Makefile

2
sources
View File

@ -1 +1,3 @@
SHA512 (git-lfs-v2.13.3.tar.gz) = 2c9e10e4f2fdb5d6bae8994db5879f50596109f3057e7369a9edca3c13c3f4d77e268e3903a0abca60cf8e342ff54bc4920c01a530f8eb400e3a0cc11a171f74 SHA512 (git-lfs-v2.13.3.tar.gz) = 2c9e10e4f2fdb5d6bae8994db5879f50596109f3057e7369a9edca3c13c3f4d77e268e3903a0abca60cf8e342ff54bc4920c01a530f8eb400e3a0cc11a171f74
SHA512 (sha256sums-2.13.3.asc) = 50a0c2e6e630276321662ffb8b18f04d55ace5ef3a1e00d5dcd7966b03b62eb4a286f2379fb639805be2b4273ab1939e51f789b007508f6e4701225b8b87fe16
SHA512 (core-gpg-keys.tar.gz) = 59a4507f45a501e6b579ab70ebd650740b7e098b32e16a346d466c7e73da6ab721447fda44663725dd331fca3f53d2892a9421c8f85385a2bbfde18657f37d49