Build from signed and verified distribution tarball

2021-09-18 14:27:49 +02:00 · 2021-09-18 14:27:49 +02:00 · 177e484175
commit 177e484175
parent 5ae5a7dc84
6 changed files with 51 additions and 12 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,5 @@
+/libxcrypt-*/
 /libxcrypt-*.rpm
-/libxcrypt-*.tar.*
+/libxcrypt-*.tar.xz
+/libxcrypt-gpgkey.gpg
+/results_libxcrypt/
--- a/README.packit
+++ b/README.packit
@ -1,3 +0,0 @@
-This repository is maintained by packit.
-https://packit.dev/
-The file was generated using packit 0.32.0.
--- a/libxcrypt-4.4.26.tar.xz.asc
+++ b/libxcrypt-4.4.26.tar.xz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEZ4zj/uQwMRWW24wW9S6YAHWUwh0FAmFF1kUACgkQ9S6YAHWU
+wh1eQw//QcuUPJna/qbpD+j1gan8nccZFrJ14+1Wv+GLogbnJxQru29DmkSHXVjp
+5LY2AIBTr0czRx3FJhW+aZd9yzCrQF/0iyaT5ewSPeB3jpXE7Ho12LHTEYT/clJj
+dp6kKnhF6c2ALulow77KdJs6nCmsysgIlpnuP9UHUxv14sk3MxANZR9wdxWi31Kf
+DlIVKog5gM6rNtOxYxvspmT1Z3HVlqI8QpieaNAR20clTH0XRkxFP++Xo2igm6hW
+SiAFkwLqu9htBfPkM9bHxmgk0Ie5DX6s5g+JeLnkOeQSt9fTDHdKIof6QOpfBohk
+4v5f5EOmd0F2coMzfmpjIOTazcNWXHii7GiUL/7SWzwC5AZ2lkGxvs5YfTp5jMky
+Fve1x/jqVOgD1MK8UpNIPll4PtTdFWXY0wtWqJXb/dCwuqlQjGarejcB04pYsdH5
+d+UnHoGlpPpjgKo9EcjL51PAPjS035Mf0Lua3bSZtG+Gs1qxl+WW/RWPvkZC7oQE
+zqZO60r5KFuQploTU+IAwlFQ1RfT4M8NR3zZKO+E4uy3rq7fVZW4vg92kuDH3AaU
+akwJpKYKXhZbnNlObkoNL012K/CJB0wsGphcWDausboFghrZJ/rosIWF1h0WP2La
+pAtSDdE3iUsohmHVZPXOBv/lLd42vGBFuA2F5KmwxX7OJ/0JYNk=
+=E20L
+-----END PGP SIGNATURE-----
--- a/libxcrypt-4.4.26.tar.xz.sha256sum
+++ b/libxcrypt-4.4.26.tar.xz.sha256sum
@ -0,0 +1,2 @@
+8e6ab1e22b9d1dc40165ec767662a34773d22f766aae1f989328069e8a3aa99a  libxcrypt-4.4.26.tar.xz
+e9a4b1ae5265de7b997a077ea39749ab678f2e2f5f62e655ddbb966bd5b35301  libxcrypt-4.4.26.tar.xz.asc
--- a/libxcrypt.spec
+++ b/libxcrypt.spec
@ -26,6 +26,11 @@
 %bcond_without staticlib


+# When we are bootstrapping, we omit the
+# verification of the source tarball with GnuPG.
+%bcond_with bootstrap
+
+
 # Shared object version of libcrypt.
 %if %{with new_api}
 %global soc  2
@ -153,14 +158,17 @@ fi                                          \

 Name:           libxcrypt
 Version:        4.4.26
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Extended crypt library for descrypt, md5crypt, bcrypt, and others

 # For explicit license breakdown, see the
 # LICENSING file in the source tarball.
 License:        LGPLv2+ and BSD and Public Domain
 URL:            https://github.com/besser82/%{name}
-Source0:        %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
+Source0:        %{url}/releases/download/v%{version}/%{name}-%{version}.tar.xz
+Source1:        %{url}/releases/download/v%{version}/%{name}-%{version}.tar.xz.asc
+Source2:        %{url}/releases/download/v%{version}/%{name}-gpgkey.gpg
+Source3:        %{url}/releases/download/v%{version}/%{name}-%{version}.tar.xz.sha256sum

 # Patch 0000 - 2999: Backported patches from upstream.

@ -168,15 +176,18 @@ Source0:        %{url}/archive/v%{version}/%{name}-%{version}.tar.gz

 # Patch 6000 - 9999: Downstream patches.

-BuildRequires:  autoconf
-BuildRequires:  automake
 BuildRequires:  fipscheck
 BuildRequires:  gcc
 BuildRequires:  glibc-devel           >= %{glibc_minver}
-BuildRequires:  libtool
 BuildRequires:  make
 BuildRequires:  perl-core

+%if %{without bootstrap}
+# Possibly not available during bootstrap.
+BuildRequires:  gnupg2
+BuildRequires:  %{_bindir}/sha256sum
+%endif
+
 # We do not need to keep this forever.
 %if !(0%{?fedora} > 31 || 0%{?rhel} > 10)
 # Inherited from former libcrypt package.
@ -283,9 +294,15 @@ discouraged.


 %prep
-%autosetup -p 1
+%if %{without bootstrap}
+# Omitted during bootstrap.
+%{gpgverify} --keyring=%{SOURCE2} --signature=%{SOURCE1} --data=%{SOURCE0}
+pushd %{_sourcedir}
+sha256sum -c %{SOURCE3}
+popd
+%endif

-$(realpath ./autogen.sh)
+%autosetup -p 1

 %if %{with new_api}
 cat << EOF >> README%{distname}
@ -528,6 +545,9 @@ done


 %changelog
+* Sat Sep 18 2021 Björn Esser <besser82@fedoraproject.org> - 4.4.26-2
+- Build from signed and verified distribution tarball
+
 * Fri Sep 17 2021 Björn Esser <besser82@fedoraproject.org> - 4.4.26-1
 - New upstream release

--- a/3
+++ b/3
@ -1 +1,2 @@
-SHA512 (libxcrypt-4.4.26.tar.gz) = fd58e397c59fd8f227a0006ed1039ef1d89e033f792f186a8c352fddc0741616fabe9784eb081aecac4db945741dd730f6cef36e6354f252fd934ce0866fdb2a
+SHA512 (libxcrypt-4.4.26.tar.xz) = 5945d8030223f2b094a88e69c3237c02d4c2740974bce2aab4b951d2ae5f6e51960e024ad3fb62bdf3751d33f7ea9c688c4e2639fe5609cea2944cb2d2a5bc05
+SHA512 (libxcrypt-gpgkey.gpg) = 723ce5d76676e4366959e03850f8814d5b30f8b20a39629f0ccff61bb2b2bef64223fd78e719ad23d7dd272ca6c0177089749f9b508099d56750a8bb466d006c