verify upstream source signature

Per the packaging guidelines¹.

The upstream key is, unfortunately, a DSA 1024-bit key.  While this is
still accepted by gpg, it should ideally be replaced upstream.

¹ https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures

.gitignore

@@ -1 +1 @@
-/irssi-*.tar.xz
+/irssi-*.tar.xz*

gpgkey-7EE65E3082A5FB06AC7C368D00CCB587DDBEF0E1.asc

@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGiBENpM4oRBACXrTtE5r9JeNaX3T+sbwhORs0ODukgAFCOW5ZwygMI8L839wjt
+EXQ8DsaRowRW74XDJm/RSxJp0ExkmLh1LDP1PcnqrgzAknUfqkbQ4LfWKfnRHE+3
+42gLjfdvIGCqhHD66VrpNKmvuGmiEAvHBP58bg7aM6FqoXiDhp+aEjeJcwCglf7Y
+aluifja2z4WMoHSnYpz//PcD/3+W0e/brxvZqfDmWB6a1VGjjz6CFDwgc2iO5jTw
+vlP8JAcg7lqhA+3Fc4pUUqlhKdgWxEDHkzxpz6UWmLrW3rt+72Gi56U3HRKrwSh0
+y83zOehVJI9TlPFq+NQ0wLT8shYD2LvVrvWuQ/hT3oLiQAG6a9MZViUPU9z0Pspc
+wRwXA/4tRT1/E1h1urzSAw9Hhl7T/KWIJNkpYAgFFSuTJiyNpAKzyCWIpMeHMHEC
+JprnYuvYAtBe2VjgemP7wWsiTGKXKNuaj615eLfXElXvA/1xgs8XuKugKiK8hMWP
+cjrW3buc8WlrbGgKvSAsfNVSVZ9/wKdnDjv/3Tws7TFXcr5Q2bQjVGhlIElyc3Np
+IHByb2plY3QgPHN0YWZmQGlyc3NpLm9yZz6IYAQTEQIAIAUCQ2kzigIbAwYLCQgH
+AwIEFQIIAwQWAgMBAh4BAheAAAoJEADMtYfdvvDh32gAn1CsCfXuEhVNxdchHAQM
+0WpFFRxlAJ4jFo/9+h5/kPL1a4VeH2G6OnYy8rkCDQRDaTOPEAgAo7N8oAnv5tJ3
+V8uE07Ft01eWRFfdfXvu6gqw70WRVyRpS9q+Y+8r/UaQiGJZUkiBPrlWwxXlFYR0
+ZFCyh8btnP/m3AqBK+72o0FU/h/CjciFJpbbQJw3asxjen6EaLxsaLDOoZOaC/Ws
+uuxvq+KeiRCkIAD2SwVFR3RbJpT+T1eIhhJAD4eezfBzihpTKyE+dWGaL1IeOqaH
+QhC6XCKPU3VF0kct3/uP9NawZPCYcAnfKich8+llHYLpH5fn4ud6VULur7Pgs45C
+aM4BWvI0A856z7LDEZ5oBiFCYU3x9iuWHA0qFu4ZT11Enr9K1S4yppvlMqie/Mjg
+JQPy2KHt5wADBQf9EriAPZD/1Jo6VmyVvMLC3vflI7vkgOn87ANbppfhgrZ/gaPE
+E9IBag/3MhWcXfWvtBzl9vNDpm6u+pqLyelwPlWm7Em9uod64qKAKcgRdQnoAW2+
+vRx59sYMpPOmie2/Oi217pzaqFzWjD+ZmIqdc/ocbEhU3aBCweZM5W91qiVSX9hU
+4c/W3TgVY6EFrFCx4I8uVmQFoEn83CmThQvXOHek9q2ReMYnK2ovu1/IFXAuj3Zy
+do/91Xq/5cs+zNqxmjUvl100Lr8WGh24nrG4rluGDd0/rp6Dbl6ZjqTqhMNOlzpn
+qPcoZDmDWUvudj5kA2quO4MmrC5OXvN4jRlR5ohIBBgRAgAJBQJDaTOPAhsMAAoJ
+EADMtYfdvvDhs0EAnjauwkUV0NPxqDPWjt5VuTPAl6mqAJdQNcan8E5i1henBNgb
+Sxo8CCxd
+=uzEi
+-----END PGP PUBLIC KEY BLOCK-----

irssi.spec

@@ -9,12 +9,14 @@
 Summary:	Modular text mode IRC client with Perl scripting
 Name:		irssi
 Version:	1.4.4
-Release:	1%{?dist}
+Release:	2%{?dist}
 
 License:	GPLv2+
 URL:		http://irssi.org/
 Source0:	https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.xz
-Source1:	irssi-config.h
+Source1:	https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.xz.asc
+Source2:	gpgkey-7EE65E3082A5FB06AC7C368D00CCB587DDBEF0E1.asc
+Source3:	irssi-config.h
 
 BuildRequires:	make
 BuildRequires:	ncurses-devel
@@ -22,6 +24,7 @@ BuildRequires:	openssl-devel
 BuildRequires:	zlib-devel
 BuildRequires:	pkgconf-pkg-config
 BuildRequires:	glib2-devel
+BuildRequires:	gnupg2
 BuildRequires:	perl-devel
 BuildRequires:	perl-generators
 BuildRequires:	perl(ExtUtils::Embed)
@@ -58,6 +61,7 @@ being maintained.
 
 
 %prep
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %autosetup -p1
 
 
@@ -74,7 +78,7 @@ autoreconf -fi
 
 %make_build CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing"
 mv irssi-config.h irssi-config-$(getconf LONG_BIT).h
-cp -p %{SOURCE1} irssi-config.h
+cp -p %{SOURCE3} irssi-config.h
 
 
 %install
@@ -107,6 +111,9 @@ chmod -R u+w $RPM_BUILD_ROOT%{perl_vendorarch}
 
 
 %changelog
+* Thu Mar 30 2023 Todd Zullinger <tmz@pobox.com> - 1.4.4-2
+- verify upstream source signature
+
 * Thu Mar 30 2023 Kalev Lember <klember@redhat.com> - 1.4.4-1
 - Update to 1.4.4
 

sources

@@ -1 +1,2 @@
 SHA512 (irssi-1.4.4.tar.xz) = da28ac7a527be301d0615d6d733e4cf4e09bb6d4f5c70bc33ff70e22439a01f197bb5d91b4432ca74d3ac2dbb3235f30d53efc63a4279de8664923c2ccdbdbea
+SHA512 (irssi-1.4.4.tar.xz.asc) = b6493102a9c310833da6efca97d542a2c4fd4c83f9d8a653131edaf36ac789408460cc5c32cb9ee4e95f827601da4e48b6f776fe15bf7124faea98cac3d91006