improve gpg verification of upstream source

Use %{gpgverify} macro to verify tarball signature. The macro is now available for all supported Fedora and EPEL releases. (It is presumed that EL-9 will include %{gpgverify} as it will be branched from F-34. If that turns out to be false, we will adjust later.) The Packaging Guidelines require the use of the %{gpgverify} macro: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures Add a BuildRequires for xz as well, since we use it explicitly in %prep. Renumber Junio's GPG key from Source9 to Source2 so the %{gpgverify} calls follow the typical pattern. It (mildly) lessens cognitive load for anyone reviewing the spec file. While here, remove a stale comment about leaving a blank line after %autosetup to work around a bug on EL6.
2021-03-02 13:17:44 -05:00 · 2021-03-02 13:17:44 -05:00 · e34350e16e
commit e34350e16e
parent 5662337240
1 changed files with 11 additions and 14 deletions
--- a/git.spec
+++ b/git.spec
@ -97,7 +97,7 @@
 Name:           git
 Version:        2.30.1
-Release:        2%{?rcrev}%{?dist}.1
+Release:        3%{?rcrev}%{?dist}
 Summary:        Fast Version Control System
 License:        GPLv2
 URL:            https://git-scm.com/
@ -113,7 +113,7 @@ Source1:        https://www.kernel.org/pub/software/scm/git/%{?rcrev:testing/}%{
 #
 # https://git.kernel.org/cgit/git/git.git/tag/?h=junio-gpg-pub
 # https://git.kernel.org/cgit/git/git.git/blob/?h=junio-gpg-pub&id=7214aea37915ee2c4f6369eb9dea520aec7d855b
-Source9:        gpgkey-junio.asc
+Source2:        gpgkey-junio.asc
 # Local sources begin at 10 to allow for additional future upstream sources
 Source11:       git.xinetd.in
@ -152,11 +152,12 @@ BuildRequires:  diffutils
 BuildRequires:  emacs-common
 %endif
 # endif emacs-common
-%if 0%{?rhel} == 7
+%if 0%{?rhel} && 0%{?rhel} < 9
-# Require epel-rpm-macros for the %%build_cflags and %%build_ldflags macros
+# Require epel-rpm-macros for the %%gpgverify macro on EL-7/EL-8, and
 # %%build_cflags & %%build_ldflags on EL-7.
 BuildRequires:  epel-rpm-macros
 %endif
-# endif rhel == 7
+# endif rhel < 9
 BuildRequires:  expat-devel
 BuildRequires:  findutils
 BuildRequires:  gawk
@ -192,6 +193,7 @@ BuildRequires:  systemd
 # endif use_systemd
 BuildRequires:  tcl
 BuildRequires:  tk
 BuildRequires:  xz
 BuildRequires:  zlib-devel >= 1.2
 %if %{with tests}
@ -521,16 +523,8 @@ Requires:       subversion
 %prep
 # Verify GPG signatures
-gpghome="$(mktemp -qd)" # Ensure we don't use any existing gpg keyrings
+xz -dc '%{SOURCE0}' | %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data=-
 # Convert the ascii-armored key to binary
 # (use --yes to ensure an existing dearmored key is overwritten)
 gpg2 --homedir "$gpghome" --dearmor --quiet --yes %{SOURCE9}
 xz -dc %{SOURCE0} | # Upstream signs the uncompressed tarballs
    gpgv2 --homedir "$gpghome" --quiet --keyring %{SOURCE9}.gpg %{SOURCE1} -
 rm -rf "$gpghome" # Cleanup tmp gpg home dir
 # Ensure a blank line follows autosetup, el6 chokes otherwise
 # https://bugzilla.redhat.com/1310704
 %autosetup -p1 -n %{name}-%{version}%{?rcrev}
 # Install print-failed-test-output script
@ -1076,6 +1070,9 @@ rmdir --ignore-fail-on-non-empty "$testdir"
 %{?with_docs:%{_pkgdocdir}/git-svn.html}
 %changelog
 * Tue Mar 02 2021 Todd Zullinger <tmz@pobox.com> - 2.30.1-3
 - use %%{gpgverify} macro to verify tarball signature
 * Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.30.1-2.1
 - Rebuilt for updated systemd-rpm-macros
  See https://pagure.io/fesco/issue/2583.