GnuPG has TPM support to store the keys since 2.3, but we haven't
enabled it by default.
Note that for it to work properly, the user needs to be part of the tss
group.
Signed-off-by: Maxime Ripard <maxime@cerno.tech>
We needed the %{skip_verify} escape hatch in 9308d65 (verify upstream
signatures in %prep, unless bootstrapping, 2022-10-17) because brainpool
signatures were not supported at the time. That changed with libgcrypt
9e608ad (enable brainpool curves by default, 2022-11-06).
Adjust the remaining bootstrap conditional to read more naturally, using
'if not bootstrap' rather than 'if without bootstrap' while we're here.
Rebase the patch which allows importing of keys without UIDs. The code
changed slightly with upstream 7aaedfb10 (gpg: Import stray revocation
certificates., 2022-10-28).
Bump the minimum required libksba to 1.6.3, per upstream fc8b81128
(Update NEWS for 2.4.0, 2022-12-16). Also increase libgpg-error to
1.46, per upstream c51139f2b (agent,w32: Support Win32-OpenSSH emulation
by gpg-agent., 2022-10-14).
Fix broken GPGME tests with the patch attached to T6313¹. The patch is
edited to apply the changes to Makefile.in rather than Makefile.am.
That avoids the need to run autoreconf.
¹ https://dev.gnupg.org/T6313#166375
Use a glob to match all gnupg tarballs rather than having fedpkg add
each one to .gitignore. Also ignore rpm's, extracted source dirs, and
the mock build results directory.
Per the guidelines¹, verify upstream signatures, unless we are in
bootstrap mode.
The fingerprints of the keys contained in signature_key.asc were checked
against the upstream page (https://gnupg.org/signature_key.html). One
downside is that we are unable to verify signatures made with only the
brainpool key. The hope is that such releases are relatively rare and
the benefit of automated signature verification outweighs the hassle of
handling such releases. For these releases, set skip_verify to 1, as
we've done here. Afterward, reset it to 0.
¹ https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification
