From 6b70688a1a493114d8c15751f7cd8110103237fe Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Thu, 31 Mar 2016 15:33:08 +0100
Subject: [PATCH] Add code to verify tarball signatures (only enabled on stable
 branches).

---
 libguestfs.keyring | Bin 0 -> 2823 bytes
 libguestfs.spec    |  23 ++++++++++++++++++++++-
 2 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100644 libguestfs.keyring

diff --git a/libguestfs.keyring b/libguestfs.keyring
new file mode 100644
index 0000000000000000000000000000000000000000..bb3eb5537b7c398a10b7e2b26ca00af011d1a73e
GIT binary patch
literal 2823
zcma*oXEYm(0><$qB7$nPViakqqNG)u+FR_sQd<zUYE`Y+yNX&x5k(cXXQ`bSHCwC3
zYp>c{DRukabMCqKo^wCkug~Y-bN=ZdDzIiUZ#$40(0^!V6(C-KH79?s=m3cGghyAo
z1|dJMm+eiM>Vb)QYy4<m5xqg#!`x#?uQU&6#CqCFwPwBoY1aMd-SX<ocshADP{Q;g
z1Dl&%&gdzBz-QK(+=R-*kGl?$GP}bx7G>I#;Xu&Z^B~&YVZ!Whl6YA`T0fY9jOhHw
z+Y;*35;Jx(8F=n(3o5j*bNOr3S)<ZiqikDGJ@unc_d8W%B-zoUF6;p$M`+f%wQ)q>
zCOp0NiMsuh^>)x<=&*u##pa25u9;{ZZc=y@%)4CE$a$A}A*UQGOC-D04;}dULUfuV
z)^qc0R62lhwbK5pAcC9hk{LK2KJQ&jd|seog-6NxEVm_4X)8y7DYjWwHK2eI$lRku
zmeq4z0zkjTs4a++z4bu{k^$N0>0MkG^k~>}tQQd>eap=1)cK}mGM_yYhtaPw3u{n!
zU9d7X%GZbXT!~-iaePA-_ZF&Sz{>(|!tON<`4C)es{n-Uesd{GoD$><>+YS*e%6$X
zv}<Ezbgw+V+)^G<{cKShV`YUM@z0k(dfG;{s)5@&rmFh5Ra0z`Pp&G6!~uBSpQ|Yr
z2pWZ+4KY-&p#(;ur@&;jv$$2Cw8DYpiD#8&*_$lw$_ru0*x5-J{;#YXGi!}bm9BB)
z;-;}3Qqk*8uD-}<5knl;JuxxPbPvD{AOKjyuIpffwQ|R>81ZQEu&BDa*m|%?xc}K?
ztXy1dUpQFtxVqa*MT11aG(ZsGE-C15Js>6$2qig`j06Osg@VW_D8Y0f5+LX{5JVpY
zpdhDC^oaLZsK??x8DJOWJSw`FnKV|{5~fVJ%k`yWLJxgLVDcRdn^Wa_F@huK<h6TM
zi%<0s3fOrV#@qs4P^{YskICCUXY0QQ@r!UQcnFw?(&%^!*9b67B$)c~mF_gW9OV=r
z+S`q%8>2}*V{VwcRgyv*)4<h$KY<UTJ#pnS>g2Qgt1JGlabiOx*7Fj?B<+5~s41Ba
znTns*;eGgN*mTv0;L>wfxeCI*{K-s;9kSV!?`oEYYHR#>`F5iO`ZuDJL%yslOO9&w
zhbbHM^ngdugCnWhKqq{uTHT9qS(fk}s?L44SS*-LzWFNMd<KYy)eNj3dP?sXsDcBS
z4445vX3np6GAAN8xPxo@hZWqsZB<duKREf=LzpkBM+qb(9pJFXj;ycj6Z;De^69#B
z_J;OJ-374s)*w=E2$5S~biU;*gh-dbcgc=geo#iry`v(Oh<y*I!D-~3^X{Lb<trp`
zi22B21(WW=6)nr3dG}GVr7D4Wy&^Cc#<wKx`8oSpWxS@)6*&Dvu`>J_cZV+Pj}Fc0
z$<Swv6laEJUFnIG{pDQ;P?3gI3i)A&R`XI5o9dsz)}n?rI&!ml3a~fYP`)>z?*yD|
z^ee!4Z%nhXNm_MKw>GfR!|#AT7wI=d8;#FBd0Dn`;z*2sFEnNL=50xc+d7>-sr4hc
z1H^ZFsD|Tz3VZsuG#PhW4A#n%$Hvw9zllAj{C|nDDp3Q9IoOo59u_f15UB-d(i^Ft
zm}W~GSou3Y2Zae}aUVFWKJ)XZ-FcZ)f7}5VNSmEBezlPwny+1V!c|G1q2)yJu^>SU
zBG(uFdMTFhV(LalnV(s$P>l{I_<eaHWlqF+Ch{$~XLhAa<Yt2MoawUfHJf@_N;?U4
z*09Y`lu*uu;cfA$!Kgo{+#{?_zegzGn<2Frs2=S5yyLnQ^!=v;b<&`Lmd}1vHF8d=
z;!CozBU~x?0a+7&iBLT5ZE7ltenQ%Av(Xgwn0M&|rYeiSVgA?%{36=$`2|;01x7#Z
zwotR>IXET&d9&(TxDa{R*NCzcuMf&q78elSLN9YIaoM7X!j3`9@_C^pJ@OJh;qD77
z`}&Nz_D*Iq6f;t7?Bqxowet8!npZ$`6NXiVD@~AY_g*>B){{F>D1<Vwm_@s_W1M~m
zih13{GG=2Q5$bL0Xo}kuQ+(PxE@xPA2tVV|qiYs+T5-IuqO-F-W`Z{6V;T8<e#@j(
z;!3U8`|v@+L@Ftr+4#}mUxUi{$MYkS7rtaehQYt)IC!ODT0|RWLrJ%XWr6a^*$AxM
zQ{gYW{*}m~QUCcc4jfkJ^u_PesfSq`zc-Xau1IBjl&7DVa+ptsb9stY)jPx!RTa>?
zN$g|68|pA_wcr~kt)JAUlnukx>iU8KA)f_4{X1&=@-!^E^P8QCNsCiKiUK_<oEmOw
zH;4=dBz;KBtuPAXu%C#Lc7i;dNlJi?$gaa<(Y?5^kaq$4RId~1Tfh9S7Lq1)QW7ct
zpaBz*vDJ{eJo)|Jt249v={=5u<c@_!42@Y8nmVZ%eES;8WdxCx8%+wlz~)_{AL828
zoidZW3tJN>F>Xsli+q$Z*{a2b32CMwb3D{%D_`*E!rm9<3xmVE)l89dYVw5nlryxm
zap55S(@vrBI7zH^ydCt_O(Ugr9>qJgQm;i{)`fD?)7n|Jj)=c?=qu9x3%|TVwl?!x
z?-#a4>J7h7(TrYP9;;VFFnL~q)11l=W{2zM0PM_#^G-;w9~Y(6gf0(xy$5NJB{8G)
z2_PZQC}tF@|I|RCJ_Ct6H6l-=E50j$d5Ku9&`{QVe8Z;T+VX2372^TDbVX-o_tL$y
zfM36H?e10e)+AoUd;Ar?$c*rS7DBr*maRLN9n|78-|^BE1bP6RW%uVWO+Eh#-^#2q
zU1o2OGeEnJe`vc1&bKa=PK5K>MrUoy*4Di*xQ~Hr8YK=ae$S@5;A6m-C*^N>H6QiE
z<RvKr=C<qi>+Z~%eGDDNK_vktjC^nxMUEXZReG3G^_uml$%lONCD~B)o&u<L^8IJZ
z@#3MMMS<yz1i7~|3^Alk?bC*Pr#Jo?wP?^CFvFi(k^ie!*Zwm~s2bRnW7J28FjVX)
z(NZN!a%Av(WM2oOo0O}USI_4&2e6@GY5!48T2IWEE^Gd%n^$|onzcbYgQE#bON)?G
zua?${5v|kuqa^;WF7Dh^WnG%%(I0%P6rF0RN8&^yG21bPZUdoT4;2`Xho4<G3~%f-
z#lS3Rh+%sovhlDewz2VU89~2ou`>@Ar}fQG5;T#E%^U88SI<&z@~yy|THGE%E1PbI
z?F^r&ZTiw{?xi@{*DAy6C4z2C)^HACOJ!QTq)OKNiy$F_ao^+$ziBa!`o*phmK_>s
za)NY_nGb%M+@h1zb<XAwtGn*W#jsd8_GBv-9*Ddy8t<qBI(x&%bN5;ykF8dr{T4O>
zdfh2x>9W=SlC19X_yB5T8jPIITr(IuajP65y|~iU>niq=mN|NI*0)B&ixQ<WS!nCf
zBVYs7xp*%EgK(9ET6)O?{REK=M1I%+lldysJ55gyskZBWAKZ?bc%)XCn0i3y@NQXm
zn@r@9Vr+PNil~E=_qIh+>w`dlhcIFP)G9WnV`}K3C{4m}cRO<&1vJ^K5DAVUo*Z<@
zunwMvxU0<EoOCH{SGr~+*y)%@-LfJf*03LrDE*$j2<T=OM6`|BPp@fM8p8K0?2eb^
n-3&M(SRSjrrKa5!v>NO;ORRnw0-LRLg3}q^7?BlO`eOGFQ3pD@

literal 0
HcmV?d00001

diff --git a/libguestfs.spec b/libguestfs.spec
index e1d83f8..6df35ac 100644
--- a/libguestfs.spec
+++ b/libguestfs.spec
@@ -10,6 +10,9 @@
 # https://lists.fedoraproject.org/pipermail/devel/2013-April/thread.html#181627
 %global _changelog_trimtime %(date +%s -d "2 years ago")
 
+# Verify tarball signature with GPGv2 (only possible for stable branches).
+#%global verify_tarball_signature 1
+
 # Filter perl provides
 %{?perl_default_filter}
 
@@ -17,12 +20,15 @@ Summary:       Access and modify virtual machine disk images
 Name:          libguestfs
 Epoch:         1
 Version:       1.33.16
-Release:       1%{?dist}
+Release:       2%{?dist}
 License:       LGPLv2+
 
 # Source and patches.
 URL:           http://libguestfs.org/
 Source0:       http://libguestfs.org/download/1.33-development/%{name}-%{version}.tar.gz
+%if 0%{verify_tarball_signature}
+Source1:       http://libguestfs.org/download/1.33-development/%{name}-%{version}.tar.gz.sig
+%endif
 
 # libguestfs live service
 Source2:       guestfsd.service
@@ -37,6 +43,11 @@ Source5:       guestfish.sh
 # Used to build the supermin appliance in Koji.
 Source6:       yum.conf.in
 
+# Keyring used to verify tarball signature.
+%if 0%{verify_tarball_signature}
+Source7:       libguestfs.keyring
+%endif
+
 # Basic build requirements for the library and virt tools.
 BuildRequires: gcc
 BuildRequires: supermin-devel >= 5.1.12-4
@@ -85,6 +96,9 @@ BuildRequires: gtk2-devel
 BuildRequires: /usr/bin/qemu-img
 BuildRequires: perl(Win::Hivex)
 BuildRequires: perl(Win::Hivex::Regedit)
+%if 0%{verify_tarball_signature}
+BuildRequires: gpg2
+%endif
 
 # For language bindings.
 BuildRequires: ocaml
@@ -787,6 +801,10 @@ for %{name}.
 
 
 %prep
+%if 0%{verify_tarball_signature}
+tmphome="$(mktemp -d)"
+gpgv2 --homedir "$tmphome" --keyring %{SOURCE7} %{SOURCE1} %{SOURCE0}
+%endif
 %setup -q
 %autopatch -p1
 
@@ -1319,6 +1337,9 @@ rm ocaml/html/.gitignore
 
 
 %changelog
+* Thu Mar 31 2016 Richard W.M. Jones <rjones@redhat.com> - 1:1.33.16-2
+- Add code to verify tarball signatures (only enabled on stable branches).
+
 * Fri Mar 25 2016 Richard W.M. Jones <rjones@redhat.com> - 1:1.33.16-1
 - New upstream version 1.33.16.