From e34350e16edfddb6571c632ce1a74b40ed0cfcb6 Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Tue, 2 Mar 2021 13:17:44 -0500 Subject: [PATCH] improve gpg verification of upstream source Use %{gpgverify} macro to verify tarball signature. The macro is now available for all supported Fedora and EPEL releases. (It is presumed that EL-9 will include %{gpgverify} as it will be branched from F-34. If that turns out to be false, we will adjust later.) The Packaging Guidelines require the use of the %{gpgverify} macro: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures Add a BuildRequires for xz as well, since we use it explicitly in %prep. Renumber Junio's GPG key from Source9 to Source2 so the %{gpgverify} calls follow the typical pattern. It (mildly) lessens cognitive load for anyone reviewing the spec file. While here, remove a stale comment about leaving a blank line after %autosetup to work around a bug on EL6. --- git.spec | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/git.spec b/git.spec index 7b2ece5..6fa4261 100644 --- a/git.spec +++ b/git.spec @@ -97,7 +97,7 @@ Name: git Version: 2.30.1 -Release: 2%{?rcrev}%{?dist}.1 +Release: 3%{?rcrev}%{?dist} Summary: Fast Version Control System License: GPLv2 URL: https://git-scm.com/ @@ -113,7 +113,7 @@ Source1: https://www.kernel.org/pub/software/scm/git/%{?rcrev:testing/}%{ # # https://git.kernel.org/cgit/git/git.git/tag/?h=junio-gpg-pub # https://git.kernel.org/cgit/git/git.git/blob/?h=junio-gpg-pub&id=7214aea37915ee2c4f6369eb9dea520aec7d855b -Source9: gpgkey-junio.asc +Source2: gpgkey-junio.asc # Local sources begin at 10 to allow for additional future upstream sources Source11: git.xinetd.in @@ -152,11 +152,12 @@ BuildRequires: diffutils BuildRequires: emacs-common %endif # endif emacs-common -%if 0%{?rhel} == 7 -# Require epel-rpm-macros for the %%build_cflags and %%build_ldflags macros +%if 0%{?rhel} && 0%{?rhel} < 9 +# Require epel-rpm-macros for the %%gpgverify macro on EL-7/EL-8, and +# %%build_cflags & %%build_ldflags on EL-7. BuildRequires: epel-rpm-macros %endif -# endif rhel == 7 +# endif rhel < 9 BuildRequires: expat-devel BuildRequires: findutils BuildRequires: gawk @@ -192,6 +193,7 @@ BuildRequires: systemd # endif use_systemd BuildRequires: tcl BuildRequires: tk +BuildRequires: xz BuildRequires: zlib-devel >= 1.2 %if %{with tests} @@ -521,16 +523,8 @@ Requires: subversion %prep # Verify GPG signatures -gpghome="$(mktemp -qd)" # Ensure we don't use any existing gpg keyrings -# Convert the ascii-armored key to binary -# (use --yes to ensure an existing dearmored key is overwritten) -gpg2 --homedir "$gpghome" --dearmor --quiet --yes %{SOURCE9} -xz -dc %{SOURCE0} | # Upstream signs the uncompressed tarballs - gpgv2 --homedir "$gpghome" --quiet --keyring %{SOURCE9}.gpg %{SOURCE1} - -rm -rf "$gpghome" # Cleanup tmp gpg home dir +xz -dc '%{SOURCE0}' | %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data=- -# Ensure a blank line follows autosetup, el6 chokes otherwise -# https://bugzilla.redhat.com/1310704 %autosetup -p1 -n %{name}-%{version}%{?rcrev} # Install print-failed-test-output script @@ -1076,6 +1070,9 @@ rmdir --ignore-fail-on-non-empty "$testdir" %{?with_docs:%{_pkgdocdir}/git-svn.html} %changelog +* Tue Mar 02 2021 Todd Zullinger - 2.30.1-3 +- use %%{gpgverify} macro to verify tarball signature + * Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 2.30.1-2.1 - Rebuilt for updated systemd-rpm-macros See https://pagure.io/fesco/issue/2583.