improve gpg verification of upstream source
Use %{gpgverify} macro to verify tarball signature. The macro is now
available for all supported Fedora and EPEL releases. (It is presumed
that EL-9 will include %{gpgverify} as it will be branched from F-34.
If that turns out to be false, we will adjust later.)
The Packaging Guidelines require the use of the %{gpgverify} macro:
https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures
Add a BuildRequires for xz as well, since we use it explicitly in %prep.
Renumber Junio's GPG key from Source9 to Source2 so the %{gpgverify}
calls follow the typical pattern. It (mildly) lessens cognitive load
for anyone reviewing the spec file.
While here, remove a stale comment about leaving a blank line after
%autosetup to work around a bug on EL6.
This commit is contained in:
Todd Zullinger
parent
5662337240
commit
e34350e16e
25
git.spec
25
git.spec
@ -97,7 +97,7 @@
|
||||
|
||||
Name: git
|
||||
Version: 2.30.1
|
||||
Release: 2%{?rcrev}%{?dist}.1
|
||||
Release: 3%{?rcrev}%{?dist}
|
||||
Summary: Fast Version Control System
|
||||
License: GPLv2
|
||||
URL: https://git-scm.com/
|
||||
@ -113,7 +113,7 @@ Source1: https://www.kernel.org/pub/software/scm/git/%{?rcrev:testing/}%{
|
||||
#
|
||||
# https://git.kernel.org/cgit/git/git.git/tag/?h=junio-gpg-pub
|
||||
# https://git.kernel.org/cgit/git/git.git/blob/?h=junio-gpg-pub&id=7214aea37915ee2c4f6369eb9dea520aec7d855b
|
||||
Source9: gpgkey-junio.asc
|
||||
Source2: gpgkey-junio.asc
|
||||
|
||||
# Local sources begin at 10 to allow for additional future upstream sources
|
||||
Source11: git.xinetd.in
|
||||
@ -152,11 +152,12 @@ BuildRequires: diffutils
|
||||
BuildRequires: emacs-common
|
||||
%endif
|
||||
# endif emacs-common
|
||||
%if 0%{?rhel} == 7
|
||||
# Require epel-rpm-macros for the %%build_cflags and %%build_ldflags macros
|
||||
%if 0%{?rhel} && 0%{?rhel} < 9
|
||||
# Require epel-rpm-macros for the %%gpgverify macro on EL-7/EL-8, and
|
||||
# %%build_cflags & %%build_ldflags on EL-7.
|
||||
BuildRequires: epel-rpm-macros
|
||||
%endif
|
||||
# endif rhel == 7
|
||||
# endif rhel < 9
|
||||
BuildRequires: expat-devel
|
||||
BuildRequires: findutils
|
||||
BuildRequires: gawk
|
||||
@ -192,6 +193,7 @@ BuildRequires: systemd
|
||||
# endif use_systemd
|
||||
BuildRequires: tcl
|
||||
BuildRequires: tk
|
||||
BuildRequires: xz
|
||||
BuildRequires: zlib-devel >= 1.2
|
||||
|
||||
%if %{with tests}
|
||||
@ -521,16 +523,8 @@ Requires: subversion
|
||||
|
||||
%prep
|
||||
# Verify GPG signatures
|
||||
gpghome="$(mktemp -qd)" # Ensure we don't use any existing gpg keyrings
|
||||
# Convert the ascii-armored key to binary
|
||||
# (use --yes to ensure an existing dearmored key is overwritten)
|
||||
gpg2 --homedir "$gpghome" --dearmor --quiet --yes %{SOURCE9}
|
||||
xz -dc %{SOURCE0} | # Upstream signs the uncompressed tarballs
|
||||
gpgv2 --homedir "$gpghome" --quiet --keyring %{SOURCE9}.gpg %{SOURCE1} -
|
||||
rm -rf "$gpghome" # Cleanup tmp gpg home dir
|
||||
xz -dc '%{SOURCE0}' | %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data=-
|
||||
|
||||
# Ensure a blank line follows autosetup, el6 chokes otherwise
|
||||
# https://bugzilla.redhat.com/1310704
|
||||
%autosetup -p1 -n %{name}-%{version}%{?rcrev}
|
||||
|
||||
# Install print-failed-test-output script
|
||||
@ -1076,6 +1070,9 @@ rmdir --ignore-fail-on-non-empty "$testdir"
|
||||
%{?with_docs:%{_pkgdocdir}/git-svn.html}
|
||||
|
||||
%changelog
|
||||
* Tue Mar 02 2021 Todd Zullinger <tmz@pobox.com> - 2.30.1-3
|
||||
- use %%{gpgverify} macro to verify tarball signature
|
||||
|
||||
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.30.1-2.1
|
||||
- Rebuilt for updated systemd-rpm-macros
|
||||
See https://pagure.io/fesco/issue/2583.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user