From 801f8124bab0c6738757252544001bca7cdd1eb0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Tue, 15 Mar 2022 15:06:56 +0100 Subject: [PATCH] Verify GPG signature of upstream tarball when building the package https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures > Any detached signature file (e.g. foo.tar.gz.asc or foo.tar.gz.sig) must be > uploaded to the package lookaside cache alongside the source code, while > the keyring must be committed directly to the package SCM. --- .gitignore | 1 + kdudka.pgp | 52 +++++++++++++++++++++++++++++++++++++ logrotate-3.19.0.tar.xz.asc | 16 ------------ logrotate.spec | 17 +++++++++--- sources | 1 + 5 files changed, 68 insertions(+), 19 deletions(-) create mode 100644 kdudka.pgp delete mode 100644 logrotate-3.19.0.tar.xz.asc diff --git a/.gitignore b/.gitignore index 71bf3ec..526fe06 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ /logrotate-[0-9.]*.tar.xz +/logrotate-[0-9.]*.tar.xz.asc diff --git a/kdudka.pgp b/kdudka.pgp new file mode 100644 index 0000000..ee89e90 --- /dev/null +++ b/kdudka.pgp @@ -0,0 +1,52 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFgjU54BEACwGTSIP9AVBahlfv/y4snLRvlU4UWWqn8bxjh/GFTVs+l8gqOD +3dT9AhbnMWfvr94nA6dXVVx8t8akn3ybVLKeii3vOSel8ayAnIXYjtowPh/TlheO +BSo4EcVo0IFLtiUhC0XHMngITkr6mGphzKOAjS5Kur1j09tawhWMtgeDWw9dZnvc +mH7f03mwvFv49YYqztaKcGvWlrLjj1O18Un5euGx18L+udG3RfeWMpzinwvcv2n7 +sH45FVqH6wu/okOJkXShsD883NRlz652knvzuUZNqcc+l/uNm8FVB8hH7qvKJu7P +v1HpNSYlLqRpAREepYxdb/KJEJ5X3EoczLHM1zugB6cRi9REQ5rt1dqS8VOn5Svw +v4OZZUjZf/LvAB3KOl5RI40pa8zAI/ymxTZ6qZzFOp7u8XEy3GzURrYBMKJIW03Z +E61RI+7SJKr4yeboWSfYJbV6RQJyu8X77H9L0F6O+LHoLSoHIRmkcniwEMwl5THV +tUl9Daxgey+qNq1twLLV6vx8f8eyuPCdeP6ZhhUhOH4sAyh0oGZMHxiNhAFeyRdo +JqTXfgqLX39jwH54eJ3Cbhndwu47glipMO1HQX1XS5Rt7LfEMCTLUGSFW1xljLOI +8d9fExEyTzJMVIsQJoaAvPEX4cfhcAUFQLijPkt29Wvv3WsAIVFEgoLMNwARAQAB +tB9LYW1pbCBEdWRrYSA8a2R1ZGthQHJlZGhhdC5jb20+iQJUBBMBCAA+AhsDBQsJ +CAcCBhUICQoLAgQWAgMBAh4BAheAFiEEmSqW4HUFbnnNghT5hz2zdXKjezYFAl+1 +eU8FCQ8W87EACgkQhz2zdXKjezaYpw//UwiegIs8Xe79CERudpz7AM0BbRE6VaAU +QP1dMsTzIUU3HqpRrRfuCLIcbbUb7lCzAmu0SShvrt1ZUY87RXZQDJFsbHneHIKb +wIxIr6bRtwv1+I9A6bIWYDPdjgost4v2O2GdvDegdC6aDFJa6p7uYF3YqR1GvlCN +RC0DPvoZLIaHO7q+9o9WN6pe1OBmHdkzfJue9FmJxUhXGhaFGNQ/E9ahZRWv7D4e +3fxH8B2lqgmLGAYsbMjgiOJFxcbIWMzltIj0hJ1x3ajUdY1B6rLf6QcgXnKJIXVR +Svp0s283PfhnCzoXvKFvBuUaXQfNsW3MnIJFJEWDuy1TzMdK44AmQp8iQTGVIajd +2Wdmxxd54dl3GjuHPXXJZ92DG5H52cC+4TZuM4yH9gvOxwtdIafOSkvtTHYh4POF +piqiM67UG2a8JkW7CKPGFqfrdkM+yOfU31ouHL68q3XIpkB4z1f2w6mscdW2d7AQ +3VLpb+WCeoWRy6HrRYAJZjs78Rea8N9dSzUOI2ac2OUR9Mqp6TMXed6V+6b1ogbI +4I0Ni8562kPFxnjiTUhrcXNroBvQUktkEXjuk5ZOG/fJaL0lN39Cq9ImznCEGuvn +mb+sZ//kH7N5w8tTc3mK4NvQw8LkDyS5LItx1H2Gzybxsl5d0OajJpUY4PZeppjH +rxXke/QpXHq5Ag0EWCNTngEQALkRI0PUaVE9j19uyjINlxb/3nwKHmbTChQzPJFn +adUwbmXfChmK/vyE8XBaIFIWSJ/94W9Y1/aGPlK4my7GqkiS4q6Lf32YWBNqihvH +mxKuIYv2+6Z8E34yRFwmbA20RpZCy7AGIg0/LACfM4Bw+DVUhTRMl2O/muKrxd/O +/WLn30RoYG+D4+mE0xJu+XsHivx2DqvdkKO+Rzo8131ByiWOk6P37McFtYiPjEjh +ztTBcnNjd+a3xB/XDHd1Lcs7GmBqw0X10KnxC8xSzSqGSRFYF1aJYdxhayxXGJz/ +p1Dd6mt2eT46rYUGhFWlFH7FXGsWapR8ELY42clcFgGmQ7Yps+dZ6Kx8HnEYKsIY +ONBqjS/dTKSrOMvkCSY0CwiCjKPM5uan5lQ9GMwbEZOQ5dcEVJOiVSfneeYpEjD/ +oyapPrDefdsCD5Gvt2kSbDZSDR5GeO8epZ02hu/zMQxDayqdLTxAaDByDVTvRCnc +BLDcpvzXVAUdjIkfzDqZlLRgZu/8oNjOpWypUEE0mQfus6fDOLrt1h/0SqcJar70 +mi0QzBlOLrksJerXygDYJus80trCJPbr5DkCy2nQdfaeUissbt4kJTBirhhMtuyZ +bBOQ42qm5pGef74hye1dCUddlBcb/BmIecsQ5a7EegKBDoU6ZsLcs5xnPgNwJa5U +5VstABEBAAGJAjwEGAEIACYCGwwWIQSZKpbgdQVuec2CFPmHPbN1cqN7NgUCX7V5 +agUJDxbzzAAKCRCHPbN1cqN7NiVdEACGZX+sMSfpW47ARmsg9EsWh983SafWEi4V +Gp3bRgOM3X4hwp8iFS/jpD8iNQpiRztSAx6s0l2pirAKFiKaaHrarVrYM4lrSoau +J1LeWeAy9jHRstk21Iu/myM8gfBdl9tOlrdv5NhD98tCdE/2hTtOLlZbYboNl+ug +0g/3yM4KPgqXLvVpS3QBoiueTfFoSawb20lZCcDon43BGg+wS/2j7Vu9Q1Dj3fEz ++QV4S7JvMFP6MYV2ITvj3xajXpRkuNG8s76o/u8m2PYQ77sAl+mN446Lp+bwdQeE +s7j79i/2kk+djVDtgTGyRyDD/4drXOMtVKRpxDDp1YOl896cRP4PJWNK8oLlF8IY +ItdhN/UijK6hZoXLyQDK/DQfmTjpGEQTzFCNW8CdwvTSjK7o6lJZtrv4R4rBJ3Sd +kcr9rQO/uGlYblzX70iXQMKpiCb1xo3MBCUFfiq05sTNVzRNVleo9nVf0WhCgnl7 +M9Tojh31sra9IzDAy9exga8dD/tvnebYjXYmGXfQyrPAnSSTLSjAQmlNzgx8FM96 +WB+XJDJFALy/MV35XKi9c5SLE3hSPEhqrwnTQ5g3jOPrexhUZR6w0qDXVoQH/3p0 +vXqQ3yx3yrREeBOW6qhHeYk3w2z7EAg4nNovAHgd68zXE9ZfCAGfWIerZsOuhdHS +lwvfpMesuQ== +=XhUt +-----END PGP PUBLIC KEY BLOCK----- diff --git a/logrotate-3.19.0.tar.xz.asc b/logrotate-3.19.0.tar.xz.asc deleted file mode 100644 index 0a87dbb..0000000 --- a/logrotate-3.19.0.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEmSqW4HUFbnnNghT5hz2zdXKjezYFAmHYAiwACgkQhz2zdXKj -ezYGlA//cGjoPxXWWGpdY6RxUBf9LLVVdTObkcx5P/4IUalR1md49ysk3Cw8XrGG -SbhFgTmrW4l+0ZRLaGXsSqEqKrMyUhGxQfRAOZIoOg3f84pPTG5evPcc3Xlp0o/C -ki/SQdjregUdrizsASis9lqp5o94RtH5p5NcUjj2/C0vaH08WzVtasSXp7L+02an -ewCytUYQJT32Nzukg1v1mY/+9il2yA1cXqU6IEkJR4opXvZ4kq6PMe0+AuQs0MkD -3/qkWiP98RUmrWfx6lDUSSTOts3xmpuxzKwnRsaJk8rSAm4VSTDbfotPpjEQM0it -+XtOzCiMdRLZ5hUzIerPdTs4SY696Usy6c58cwH6ocYuC3KQjZB8zhKJ4vbLH3bm -c+AJM8KZ4ey5Dnexx4QXhS16dJDjS2682qBHOPCnXnR9b4S2N5HWQHj9M8pDiaAa -ftafvq/13k4yziXn+pkUyKA6Ytx9VfVBpsMLfVAeJ93Q5K4pDbXc6UX0YXMxy660 -Ca1yG4sXhK0O9m8qPLUzBhcvzn8evAt08IXB/eDCEcwpOlH3xvxZt5aFikBM6der -Am5w38WjecbNOEirKzBi6ksMPv/K1+6dTqMIIDkLIQchACV8kIIDjI3ptr50PhBn -QS06qD7Oiy+BJQ/fSGhJtlaVbbk1+w0EzuWXXqE8E8V5B5Um1Xw= -=pq5V ------END PGP SIGNATURE----- diff --git a/logrotate.spec b/logrotate.spec index 8ee6aa1..c1ab200 100644 --- a/logrotate.spec +++ b/logrotate.spec @@ -1,16 +1,23 @@ Summary: Rotates, compresses, removes and mails system log files Name: logrotate Version: 3.19.0 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ URL: https://github.com/logrotate/logrotate Source0: https://github.com/logrotate/logrotate/releases/download/%{version}/logrotate-%{version}.tar.xz -Source1: rwtab +Source1: https://github.com/logrotate/logrotate/releases/download/%{version}/logrotate-%{version}.tar.xz.asc + +# gpg --keyserver pgp.mit.edu --recv-key 992A96E075056E79CD8214F9873DB37572A37B36 +# gpg --output kdudka.pgp --armor --export kdudka@redhat.com +Source2: kdudka.pgp + +Source3: rwtab BuildRequires: acl BuildRequires: automake BuildRequires: gcc BuildRequires: git +BuildRequires: gnupg2 BuildRequires: libacl-devel BuildRequires: libselinux-devel BuildRequires: make @@ -31,6 +38,7 @@ Install the logrotate package if you need a utility to deal with the log files on your system. %prep +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -S git cat >> .gitignore << EOF @@ -67,7 +75,7 @@ install -p -m 644 examples/logrotate.{service,timer} $RPM_BUILD_ROOT%{_unitdir}/ # Make sure logrotate is able to run on read-only root mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/rwtab.d -install -m644 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/rwtab.d/logrotate +install -m644 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/rwtab.d/logrotate %pre # If /var/lib/logrotate/logrotate.status does not exist, create it and copy @@ -107,6 +115,9 @@ fi %config(noreplace) %{_sysconfdir}/rwtab.d/logrotate %changelog +* Tue Mar 15 2022 Kamil Dudka 3.19.0-3 +- verify GPG signature of upstream tarball when building the package + * Thu Jan 20 2022 Fedora Release Engineering - 3.19.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild diff --git a/sources b/sources index 23cdb33..68a087d 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ SHA512 (logrotate-3.19.0.tar.xz) = 7838e14a5b147f6e5edf6efdf743deeca39fdb563fc6f14aa010ac5b7bdef9c2bb8005415481d1b042b31975052d5ed6e75c4bcd7e378003427ebe5ec02a1f2c +SHA512 (logrotate-3.19.0.tar.xz.asc) = 94cc6f255170e78690ac2a034abae2a593053278a4acd77b44a7ae8b9fcb76d428881ee6f45f28ebb0c2290a83615fc1a143d0d896dce385a37376d460732ed7