Verify GPG signature of upstream tarball when building the package

https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures

> Any detached signature file (e.g. foo.tar.gz.asc or foo.tar.gz.sig) must be
> uploaded to the package lookaside cache alongside the source code, while
> the keyring must be committed directly to the package SCM.

.gitignore

@@ -1 +1,2 @@
 /logrotate-[0-9.]*.tar.xz
+/logrotate-[0-9.]*.tar.xz.asc

kdudka.pgp

@@ -0,0 +1,52 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFgjU54BEACwGTSIP9AVBahlfv/y4snLRvlU4UWWqn8bxjh/GFTVs+l8gqOD
+3dT9AhbnMWfvr94nA6dXVVx8t8akn3ybVLKeii3vOSel8ayAnIXYjtowPh/TlheO
+BSo4EcVo0IFLtiUhC0XHMngITkr6mGphzKOAjS5Kur1j09tawhWMtgeDWw9dZnvc
+mH7f03mwvFv49YYqztaKcGvWlrLjj1O18Un5euGx18L+udG3RfeWMpzinwvcv2n7
+sH45FVqH6wu/okOJkXShsD883NRlz652knvzuUZNqcc+l/uNm8FVB8hH7qvKJu7P
+v1HpNSYlLqRpAREepYxdb/KJEJ5X3EoczLHM1zugB6cRi9REQ5rt1dqS8VOn5Svw
+v4OZZUjZf/LvAB3KOl5RI40pa8zAI/ymxTZ6qZzFOp7u8XEy3GzURrYBMKJIW03Z
+E61RI+7SJKr4yeboWSfYJbV6RQJyu8X77H9L0F6O+LHoLSoHIRmkcniwEMwl5THV
+tUl9Daxgey+qNq1twLLV6vx8f8eyuPCdeP6ZhhUhOH4sAyh0oGZMHxiNhAFeyRdo
+JqTXfgqLX39jwH54eJ3Cbhndwu47glipMO1HQX1XS5Rt7LfEMCTLUGSFW1xljLOI
+8d9fExEyTzJMVIsQJoaAvPEX4cfhcAUFQLijPkt29Wvv3WsAIVFEgoLMNwARAQAB
+tB9LYW1pbCBEdWRrYSA8a2R1ZGthQHJlZGhhdC5jb20+iQJUBBMBCAA+AhsDBQsJ
+CAcCBhUICQoLAgQWAgMBAh4BAheAFiEEmSqW4HUFbnnNghT5hz2zdXKjezYFAl+1
+eU8FCQ8W87EACgkQhz2zdXKjezaYpw//UwiegIs8Xe79CERudpz7AM0BbRE6VaAU
+QP1dMsTzIUU3HqpRrRfuCLIcbbUb7lCzAmu0SShvrt1ZUY87RXZQDJFsbHneHIKb
+wIxIr6bRtwv1+I9A6bIWYDPdjgost4v2O2GdvDegdC6aDFJa6p7uYF3YqR1GvlCN
+RC0DPvoZLIaHO7q+9o9WN6pe1OBmHdkzfJue9FmJxUhXGhaFGNQ/E9ahZRWv7D4e
+3fxH8B2lqgmLGAYsbMjgiOJFxcbIWMzltIj0hJ1x3ajUdY1B6rLf6QcgXnKJIXVR
+Svp0s283PfhnCzoXvKFvBuUaXQfNsW3MnIJFJEWDuy1TzMdK44AmQp8iQTGVIajd
+2Wdmxxd54dl3GjuHPXXJZ92DG5H52cC+4TZuM4yH9gvOxwtdIafOSkvtTHYh4POF
+piqiM67UG2a8JkW7CKPGFqfrdkM+yOfU31ouHL68q3XIpkB4z1f2w6mscdW2d7AQ
+3VLpb+WCeoWRy6HrRYAJZjs78Rea8N9dSzUOI2ac2OUR9Mqp6TMXed6V+6b1ogbI
+4I0Ni8562kPFxnjiTUhrcXNroBvQUktkEXjuk5ZOG/fJaL0lN39Cq9ImznCEGuvn
+mb+sZ//kH7N5w8tTc3mK4NvQw8LkDyS5LItx1H2Gzybxsl5d0OajJpUY4PZeppjH
+rxXke/QpXHq5Ag0EWCNTngEQALkRI0PUaVE9j19uyjINlxb/3nwKHmbTChQzPJFn
+adUwbmXfChmK/vyE8XBaIFIWSJ/94W9Y1/aGPlK4my7GqkiS4q6Lf32YWBNqihvH
+mxKuIYv2+6Z8E34yRFwmbA20RpZCy7AGIg0/LACfM4Bw+DVUhTRMl2O/muKrxd/O
+/WLn30RoYG+D4+mE0xJu+XsHivx2DqvdkKO+Rzo8131ByiWOk6P37McFtYiPjEjh
+ztTBcnNjd+a3xB/XDHd1Lcs7GmBqw0X10KnxC8xSzSqGSRFYF1aJYdxhayxXGJz/
+p1Dd6mt2eT46rYUGhFWlFH7FXGsWapR8ELY42clcFgGmQ7Yps+dZ6Kx8HnEYKsIY
+ONBqjS/dTKSrOMvkCSY0CwiCjKPM5uan5lQ9GMwbEZOQ5dcEVJOiVSfneeYpEjD/
+oyapPrDefdsCD5Gvt2kSbDZSDR5GeO8epZ02hu/zMQxDayqdLTxAaDByDVTvRCnc
+BLDcpvzXVAUdjIkfzDqZlLRgZu/8oNjOpWypUEE0mQfus6fDOLrt1h/0SqcJar70
+mi0QzBlOLrksJerXygDYJus80trCJPbr5DkCy2nQdfaeUissbt4kJTBirhhMtuyZ
+bBOQ42qm5pGef74hye1dCUddlBcb/BmIecsQ5a7EegKBDoU6ZsLcs5xnPgNwJa5U
+5VstABEBAAGJAjwEGAEIACYCGwwWIQSZKpbgdQVuec2CFPmHPbN1cqN7NgUCX7V5
+agUJDxbzzAAKCRCHPbN1cqN7NiVdEACGZX+sMSfpW47ARmsg9EsWh983SafWEi4V
+Gp3bRgOM3X4hwp8iFS/jpD8iNQpiRztSAx6s0l2pirAKFiKaaHrarVrYM4lrSoau
+J1LeWeAy9jHRstk21Iu/myM8gfBdl9tOlrdv5NhD98tCdE/2hTtOLlZbYboNl+ug
+0g/3yM4KPgqXLvVpS3QBoiueTfFoSawb20lZCcDon43BGg+wS/2j7Vu9Q1Dj3fEz
++QV4S7JvMFP6MYV2ITvj3xajXpRkuNG8s76o/u8m2PYQ77sAl+mN446Lp+bwdQeE
+s7j79i/2kk+djVDtgTGyRyDD/4drXOMtVKRpxDDp1YOl896cRP4PJWNK8oLlF8IY
+ItdhN/UijK6hZoXLyQDK/DQfmTjpGEQTzFCNW8CdwvTSjK7o6lJZtrv4R4rBJ3Sd
+kcr9rQO/uGlYblzX70iXQMKpiCb1xo3MBCUFfiq05sTNVzRNVleo9nVf0WhCgnl7
+M9Tojh31sra9IzDAy9exga8dD/tvnebYjXYmGXfQyrPAnSSTLSjAQmlNzgx8FM96
+WB+XJDJFALy/MV35XKi9c5SLE3hSPEhqrwnTQ5g3jOPrexhUZR6w0qDXVoQH/3p0
+vXqQ3yx3yrREeBOW6qhHeYk3w2z7EAg4nNovAHgd68zXE9ZfCAGfWIerZsOuhdHS
+lwvfpMesuQ==
+=XhUt
+-----END PGP PUBLIC KEY BLOCK-----

logrotate-3.19.0.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEmSqW4HUFbnnNghT5hz2zdXKjezYFAmHYAiwACgkQhz2zdXKj
-ezYGlA//cGjoPxXWWGpdY6RxUBf9LLVVdTObkcx5P/4IUalR1md49ysk3Cw8XrGG
-SbhFgTmrW4l+0ZRLaGXsSqEqKrMyUhGxQfRAOZIoOg3f84pPTG5evPcc3Xlp0o/C
-ki/SQdjregUdrizsASis9lqp5o94RtH5p5NcUjj2/C0vaH08WzVtasSXp7L+02an
-ewCytUYQJT32Nzukg1v1mY/+9il2yA1cXqU6IEkJR4opXvZ4kq6PMe0+AuQs0MkD
-3/qkWiP98RUmrWfx6lDUSSTOts3xmpuxzKwnRsaJk8rSAm4VSTDbfotPpjEQM0it
-+XtOzCiMdRLZ5hUzIerPdTs4SY696Usy6c58cwH6ocYuC3KQjZB8zhKJ4vbLH3bm
-c+AJM8KZ4ey5Dnexx4QXhS16dJDjS2682qBHOPCnXnR9b4S2N5HWQHj9M8pDiaAa
-ftafvq/13k4yziXn+pkUyKA6Ytx9VfVBpsMLfVAeJ93Q5K4pDbXc6UX0YXMxy660
-Ca1yG4sXhK0O9m8qPLUzBhcvzn8evAt08IXB/eDCEcwpOlH3xvxZt5aFikBM6der
-Am5w38WjecbNOEirKzBi6ksMPv/K1+6dTqMIIDkLIQchACV8kIIDjI3ptr50PhBn
-QS06qD7Oiy+BJQ/fSGhJtlaVbbk1+w0EzuWXXqE8E8V5B5Um1Xw=
-=pq5V
------END PGP SIGNATURE-----

logrotate.spec

@@ -1,16 +1,23 @@
 Summary: Rotates, compresses, removes and mails system log files
 Name: logrotate
 Version: 3.19.0
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 URL: https://github.com/logrotate/logrotate
 Source0: https://github.com/logrotate/logrotate/releases/download/%{version}/logrotate-%{version}.tar.xz
-Source1: rwtab
+Source1: https://github.com/logrotate/logrotate/releases/download/%{version}/logrotate-%{version}.tar.xz.asc
+
+# gpg --keyserver pgp.mit.edu --recv-key 992A96E075056E79CD8214F9873DB37572A37B36
+# gpg --output kdudka.pgp --armor --export kdudka@redhat.com
+Source2: kdudka.pgp
+
+Source3: rwtab
 
 BuildRequires: acl
 BuildRequires: automake
 BuildRequires: gcc
 BuildRequires: git
+BuildRequires: gnupg2
 BuildRequires: libacl-devel
 BuildRequires: libselinux-devel
 BuildRequires: make
@@ -31,6 +38,7 @@ Install the logrotate package if you need a utility to deal with the
 log files on your system.
 
 %prep
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %autosetup -S git
 
 cat >> .gitignore << EOF
@@ -67,7 +75,7 @@ install -p -m 644 examples/logrotate.{service,timer} $RPM_BUILD_ROOT%{_unitdir}/
 
 # Make sure logrotate is able to run on read-only root
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/rwtab.d
-install -m644 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/rwtab.d/logrotate
+install -m644 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/rwtab.d/logrotate
 
 %pre
 # If /var/lib/logrotate/logrotate.status does not exist, create it and copy
@@ -107,6 +115,9 @@ fi
 %config(noreplace) %{_sysconfdir}/rwtab.d/logrotate
 
 %changelog
+* Tue Mar 15 2022 Kamil Dudka <kdudka@redhat.com> 3.19.0-3
+- verify GPG signature of upstream tarball when building the package
+
 * Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.19.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
 

sources

@@ -1 +1,2 @@
 SHA512 (logrotate-3.19.0.tar.xz) = 7838e14a5b147f6e5edf6efdf743deeca39fdb563fc6f14aa010ac5b7bdef9c2bb8005415481d1b042b31975052d5ed6e75c4bcd7e378003427ebe5ec02a1f2c
+SHA512 (logrotate-3.19.0.tar.xz.asc) = 94cc6f255170e78690ac2a034abae2a593053278a4acd77b44a7ae8b9fcb76d428881ee6f45f28ebb0c2290a83615fc1a143d0d896dce385a37376d460732ed7