From 6b70688a1a493114d8c15751f7cd8110103237fe Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Thu, 31 Mar 2016 15:33:08 +0100 Subject: [PATCH] Add code to verify tarball signatures (only enabled on stable branches). --- libguestfs.keyring | Bin 0 -> 2823 bytes libguestfs.spec | 23 ++++++++++++++++++++++- 2 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 libguestfs.keyring diff --git a/libguestfs.keyring b/libguestfs.keyring new file mode 100644 index 0000000000000000000000000000000000000000..bb3eb5537b7c398a10b7e2b26ca00af011d1a73e GIT binary patch literal 2823 zcma*oXEYm(0><$qB7$nPViakqqNG)u+FR_sQdc{DRukabMCqKo^wCkug~Y-bN=ZdDzIiUZ#$40(0^!V6(C-KH79?s=m3cGghyAo z1|dJMm+eiM>Vb)QYy4I#;Xu&Z^B~&YVZ!Whl6YA`T0fY9jOhHw z+Y;*35;Jx(8F=n(3o5j*bNOr3S) zCOp0NiMsuh^>)x<=&*u##pa25u9;{ZZc=y@%)4CE$a$A}A*UQGOC-D04;}dULUfuV z)^qc0R62lhwbK5pAcC9hk{LK2KJQ&jd|seog-6NxEVm_4X)8y7DYjWwHK2eI$lRku zmeq4z0zkjTs4a++z4bu{k^$N0>0MkG^k~>}tQQd>eap=1)cK}mGM_yYhtaPw3u{n! zU9d7X%GZbXT!~-iaePA-_ZF&Sz{>(|!tON<`4C)es{n-Uesd{GoD$><>+YS*e%6$X zv}81ZQEu&BDa*m|%?xc}K? ztXy1dUpQFtxVqa*MT11aG(ZsGE-C15Js>6$2qig`j06Osg@VW_D8Y0f5+LX{5JVpY zpdhDC^oaLZsK??x8DJOWJSw`FnKV|{5~fVJ%k`yWLJxgLVDcRdn^Wa_F@huK2}*V{VwcRgyv*)4g2Qgt1JGlabiOx*7Fj?B<+5~s41Ba znTns*;eGgN*mTv0;L>wfxeCI*{K-s;9kSV!?`oEYYHR#>`F5iO`ZuDJL%yslOO9&w zhbbHM^ngdugCnWhKqq{uTHT9qS(fk}s?L44SS*-LzWFNMdJ_cZV+Pj}Fc0 z$z?*yD| z^ee!4Z%nhXNm_MKw>GfR!|#AT7wI=d8;#FBd0Dn`;z*2sFEnNL=50xc+d7>-sr4hc z1H^ZFsD|Tz3VZsuG#PhW4A#n%$Hvw9zllAj{C|nDDp3Q9IoOo59u_f15UB-d(i^Ft zm}W~GSou3Y2Zae}aUVFWKJ)XZ-FcZ)f7}5VNSmEBezlPwny+1V!c|G1q2)yJu^>SU zBG(uFdMTFhV(LalnV(s$P>l{I_IXET&d9&(TxDa{R*NCzcuMf&q78elSLN9YIaoM7X!j3`9@_C^pJ@OJh;qD77 z`}&Nz_D*Iq6f;t7?Bqxowet8!npZ$`6NXiVD@~AY_g*>B){{F>D1? zN$g|68|pA_wcr~kt)JAUlnukx>iU8KA)f_4{X1&=@-!^E^P8QCNsCiKiUK_F>Xsli+q$Z*{a2b32CMwb3D{%D_`*E!rm9<3xmVE)l89dYVw5nlryxm zap55S(@vrBI7zH^ydCt_O(Ugr9>qJgQm;i{)`fD?)7n|Jj)=c?=qu9x3%|TVwl?!x z?-#a4>J7h7(TrYP9;;VFFnL~q)11l=W{2zM0PM_#^G-;w9~Y(6gf0(xy$5NJB{8G) z2_PZQC}tF@|I|RCJ_Ct6H6l-=E50j$d5Ku9&`{QVe8Z;T+VX2372^TDbVX-o_tL$y zfM36H?e10e)+AoUd;Ar?$c*rS7DBr*maRLN9n|78-|^BE1bP6RW%uVWO+Eh#-^#2q zU1o2OGeEnJe`vc1&bKa=PK5K>MrUoy*4Di*xQ~Hr8YK=ae$S@5;A6m-C*^N>H6QiE z+Z~%eGDDNK_vktjC^nxMUEXZReG3G^_uml$%lONCD~B)o&u@Ar}fQG5;T#E%^U88SI<&z@~yy|THGE%E1PbI z?F^r&ZTiw{?xi@{*DAy6C4z2C)^HACOJ!QTq)OKNiy$F_ao^+$ziBa!`o*phmK_>s za)NY_nGb%M+@h1zb zdfh2x>9W=SlC19X_yB5T8jPIITr(IuajP65y|~iU>niq=mN|NI*0)B&ixQw`dlhcIFP)G9WnV`}K3C{4m}cRO<&1vJ^K5DAVUo*Z<@ zunwMvxU0NO;ORRnw0-LRLg3}q^7?BlO`eOGFQ3pD@ literal 0 HcmV?d00001 diff --git a/libguestfs.spec b/libguestfs.spec index e1d83f8..6df35ac 100644 --- a/libguestfs.spec +++ b/libguestfs.spec @@ -10,6 +10,9 @@ # https://lists.fedoraproject.org/pipermail/devel/2013-April/thread.html#181627 %global _changelog_trimtime %(date +%s -d "2 years ago") +# Verify tarball signature with GPGv2 (only possible for stable branches). +#%global verify_tarball_signature 1 + # Filter perl provides %{?perl_default_filter} @@ -17,12 +20,15 @@ Summary: Access and modify virtual machine disk images Name: libguestfs Epoch: 1 Version: 1.33.16 -Release: 1%{?dist} +Release: 2%{?dist} License: LGPLv2+ # Source and patches. URL: http://libguestfs.org/ Source0: http://libguestfs.org/download/1.33-development/%{name}-%{version}.tar.gz +%if 0%{verify_tarball_signature} +Source1: http://libguestfs.org/download/1.33-development/%{name}-%{version}.tar.gz.sig +%endif # libguestfs live service Source2: guestfsd.service @@ -37,6 +43,11 @@ Source5: guestfish.sh # Used to build the supermin appliance in Koji. Source6: yum.conf.in +# Keyring used to verify tarball signature. +%if 0%{verify_tarball_signature} +Source7: libguestfs.keyring +%endif + # Basic build requirements for the library and virt tools. BuildRequires: gcc BuildRequires: supermin-devel >= 5.1.12-4 @@ -85,6 +96,9 @@ BuildRequires: gtk2-devel BuildRequires: /usr/bin/qemu-img BuildRequires: perl(Win::Hivex) BuildRequires: perl(Win::Hivex::Regedit) +%if 0%{verify_tarball_signature} +BuildRequires: gpg2 +%endif # For language bindings. BuildRequires: ocaml @@ -787,6 +801,10 @@ for %{name}. %prep +%if 0%{verify_tarball_signature} +tmphome="$(mktemp -d)" +gpgv2 --homedir "$tmphome" --keyring %{SOURCE7} %{SOURCE1} %{SOURCE0} +%endif %setup -q %autopatch -p1 @@ -1319,6 +1337,9 @@ rm ocaml/html/.gitignore %changelog +* Thu Mar 31 2016 Richard W.M. Jones - 1:1.33.16-2 +- Add code to verify tarball signatures (only enabled on stable branches). + * Fri Mar 25 2016 Richard W.M. Jones - 1:1.33.16-1 - New upstream version 1.33.16.