Enable GPG signature verification of sources
As per Packaging Guideslines. https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification
This commit is contained in:
Malcolm Inglis
parent
4d2af057d4
commit
a30bd7a825
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,6 +1,7 @@
|
||||
/results_*
|
||||
/*.src.rpm
|
||||
|
||||
/KEYS
|
||||
/apache-log4j-1.2.16.tar.gz
|
||||
/log4j-1.2.17.tar.gz
|
||||
/apache-log4j-2.0-rc1-src.tar.gz
|
||||
@ -24,3 +25,4 @@
|
||||
/apache-log4j-2.16.0-src.tar.gz
|
||||
/apache-log4j-2.17.0-src.tar.gz
|
||||
/apache-log4j-2.17.1-src.tar.gz
|
||||
/apache-log4j-2.17.1-src.tar.gz.asc
|
||||
|
||||
10
log4j.spec
10
log4j.spec
@ -2,16 +2,20 @@
|
||||
|
||||
Name: log4j
|
||||
Version: 2.17.1
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Summary: Java logging package
|
||||
BuildArch: noarch
|
||||
License: ASL 2.0
|
||||
|
||||
URL: https://logging.apache.org/%{name}
|
||||
Source0: https://www.apache.org/dist/logging/%{name}/%{version}/apache-%{name}-%{version}-src.tar.gz
|
||||
Source1: https://www.apache.org/dist/logging/%{name}/%{version}/apache-%{name}-%{version}-src.tar.gz.asc
|
||||
Source2: https://www.apache.org/dist/logging/KEYS
|
||||
|
||||
Patch2: logging-log4j-Remove-unsupported-EventDataConverter.patch
|
||||
|
||||
BuildRequires: gnupg2
|
||||
|
||||
BuildRequires: maven-local
|
||||
BuildRequires: mvn(com.fasterxml.jackson.core:jackson-annotations)
|
||||
BuildRequires: mvn(com.fasterxml.jackson.core:jackson-core)
|
||||
@ -137,6 +141,7 @@ Obsoletes: %{name}-manual < %{version}
|
||||
%{summary}.
|
||||
|
||||
%prep
|
||||
%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
|
||||
%setup -q -n apache-%{name}-%{version}-src
|
||||
%autopatch -p1
|
||||
|
||||
@ -284,6 +289,9 @@ rm -r log4j-1.2-api/src/main/java/org/apache/log4j/or/jms
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Jan 06 2022 Malcolm Inglis <miinglis@amazon.com> - 2.17.1-2
|
||||
- Enable GPG signature verification of sources
|
||||
|
||||
* Tue Dec 28 2021 Paul Wouters <paul.wouters@aiven.io> - 2.17.1-1
|
||||
- Update log4j to 2.17.1 for CVE-2021-44832 RCE via JDBC Appender (when attacker controls config)
|
||||
|
||||
|
||||
2
sources
2
sources
@ -1 +1,3 @@
|
||||
SHA512 (apache-log4j-2.17.1-src.tar.gz) = 21cdfca54eb0d6af261a5ae89ff98197473d9c0203b0ab530f3aef6c90957bfb95a423983c8a19d7fbab05ec194b6fad8e46628e32270dd8b94ddd194a1cb177
|
||||
SHA512 (apache-log4j-2.17.1-src.tar.gz.asc) = 49dd72d741ad669a2db9411bb20e6557d564b4c43873b27acc04cf8f50f9b8c43ddbce871e0a2c6abd79c9b58fa57f4ebcb38798e7965ec59641a7e07de3cdce
|
||||
SHA512 (KEYS) = c149ef131b44cc261b9efc30510ab40837cd1a26d3c1167cd21be6e3ed1d158de4537b399a09824695fcc6e5280ba73f28f39cdf739815f534c535fd1c42d886
|
||||
|
||||
Loading…
Reference in New Issue
Block a user