Always check the signature of the tarball

2020-01-22 17:18:44 +01:00 · 2020-01-22 17:18:44 +01:00 · e7e5c5f5b9
commit e7e5c5f5b9
parent 0c3e05356f
3 changed files with 10 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@ -48,3 +48,5 @@
 /ldb-2.0.7.tar.gz
 /ldb-2.0.8.tar.gz
 /ldb-2.1.0.tar.gz
+/ldb.keyring
+/ldb-2.1.0.tar.asc
--- a/libldb.spec
+++ b/libldb.spec
@ -22,7 +22,10 @@ Requires: libtdb%{?_isa} >= %{tdb_version}
 Requires: libtevent%{?_isa} >= %{tevent_version}
 License: LGPLv3+
 URL: http://ldb.samba.org/
-Source: http://samba.org/ftp/ldb/ldb-%{version}.tar.gz
+Source0: http://samba.org/ftp/ldb/ldb-%{version}.tar.gz
+Source1: http://samba.org/ftp/ldb/ldb-%{version}.tar.asc
+# gpg2 --no-default-keyring --keyring ./ldb.keyring --recv-keys 9147A339719518EE9011BCB54793916113084025
+Source2: ldb.keyring

 # Patches
 Patch0001: 0001-PATCH-wafsamba-Fix-few-SyntaxWarnings-caused-by-regu.patch
@ -46,6 +49,7 @@ BuildRequires: python3-tevent
 BuildRequires: doxygen
 BuildRequires: openldap-devel
 BuildRequires: libcmocka-devel
+BuildRequires: gnupg2

 Provides: bundled(libreplace)
 Obsoletes: python2-ldb < 2.0.5-1
@ -110,6 +114,7 @@ Development files for the Python bindings for the LDB library
 %autosetup -n ldb-%{version} -p1

 %build
+zcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} -

 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1217376
 export python_LDFLAGS=""
--- a/2
+++ b/2
@ -1 +1,3 @@
+SHA512 (ldb.keyring) = dab8c56fad6555885ee05f26f1e6da8d4c95c0cd7bdba114422b31d33b95ce46e763946a4be17c651e2626c0511f087bc223773f74b4d43ffc3010528b270093
+SHA512 (ldb-2.1.0.tar.asc) = c73651878bdccaa15598e38a0c7d2720c9eb4595ff6745b6eda15319af12ccc3fd7dbab3c9fbf171df24a560b57c018ea4d227356d9602787a6aa6c52df37768
 SHA512 (ldb-2.1.0.tar.gz) = 71edd60206f7f59f3721140a55dbb66cf3755cd87df7228928e89f65137f26aa29f8b7c4898f1cde498045a60bdede24e7c83224d6e561d5b9aead72159cf63a