From b5438aa64515815af3e5615cdbf9422f26fb90df Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 11 May 2023 10:27:06 +0200 Subject: [PATCH] verify GPG signature of upstream tarball --- nghttp2.spec | 7 +++++++ tatsuhiro-t.pgp | 39 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 tatsuhiro-t.pgp diff --git a/nghttp2.spec b/nghttp2.spec index c0244c7..70867fe 100644 --- a/nghttp2.spec +++ b/nghttp2.spec @@ -5,6 +5,8 @@ Release: 1%{?dist} License: MIT URL: https://nghttp2.org/ Source0: https://github.com/tatsuhiro-t/nghttp2/releases/download/v%{version}/nghttp2-%{version}.tar.xz +Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc +Source2: tatsuhiro-t.pgp BuildRequires: CUnit-devel BuildRequires: c-ares-devel @@ -17,6 +19,9 @@ BuildRequires: python3-devel BuildRequires: systemd-rpm-macros BuildRequires: zlib-devel +# For gpg verification of source tarball +BuildRequires: gnupg2 + Requires: libnghttp2%{?_isa} = %{version}-%{release} %{?systemd_requires} @@ -43,6 +48,7 @@ for building applications with libnghttp2. %prep +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %setup -q # make fetch-ocsp-response use Python 3 @@ -115,6 +121,7 @@ export "LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" %changelog * Thu May 11 2023 Kamil Dudka 1.53.0-1 +- verify GPG signature of upstream tarball - update to the latest upstream release * Tue Feb 14 2023 Kamil Dudka 1.52.0-1 diff --git a/tatsuhiro-t.pgp b/tatsuhiro-t.pgp new file mode 100644 index 0000000..acd91ba --- /dev/null +++ b/tatsuhiro-t.pgp @@ -0,0 +1,39 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGiBEmgJCARBACDsyRcJt0cPqS5I3nooSD4ETmsqXSGoA1QP0NcD3mMDIxfwOk3 +ZgaLAhQTpylqzYu4uQ5lDcvkpZtN8cA+R+9Bxq1VcY5Jra4t93Eyxd/14oufgg8w +GLZ8q2otuUliL+RWPEuuBLNJFrdHeLfITBX88ZyHz8tu0kpWBBVBLb5yYwCg3OmH +L59aPl0TIoKGIL/xYs80ixcD/3PA9z6SbChDHRKA647Smrw6QuQHl7Uubg6LYYxz +FoxeN3F/grZHNJyUzlkdraIcWWYi1Dr0D28TnuQUbPoj7ju248iPRv2ZEr7OpV9j +RksxJIBqzC698XwPuq2Jo8iBNgE2t25aY9UHXxehqg6zkyR1bdhFzDV1cEKGkU62 +TAnvA/9tB77GiQ9H02oybfqYrdxrWCou3kRa7owd/tBqRMkzH4Vt86VIXwVdsMn1 +sGeF4YGUqwY7GCT+jviFCdvGTRqeCJgaLJAYE8hSFIxpDTdUNxaPxwuOd3Jq5BKC +U7boXpLlAcdh47CMk4qvIDZfBb2iVjZCN1yFI9R/TCH7JCT9NLQrVGF0c3VoaXJv +IFRzdWppa2F3YSA8dGF0c3VoaXJvLnRAZ21haWwuY29tPohgBBMRAgAgBQJJoCQg +AhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQfoQD1dZzw2YoTgCgmzKU0uK/ +fr2nVqYondsxppQS83wAoIPlXaxcUV39DvA7/Rui6+rBNljmuQQNBEmgJCAQEADi +J5vXLb+y5g2kQApYk/iPqlJV02jHX7VJnWwivfQNq0F56TiiAZx9B6QR71pShkv8 +L4FgdmuNPcxamh4LAiVsiE3lW5dnlt6cp5bmWvNOTDZIojbxSfS4ZhQmt3Ij4vJ5 +fnlgUeaLDzXqeuO5ezMZvpsoBcDMvPCnv8R28JX0z1LIjA42sC85Kvd8EeB7uyGJ +q0qzU7OMP6JdxN2IwvdGiqXAAHI2KZOU9Pp4Kvg4qj8v3ELXrhlrZVye6PAmbufJ +Gdcg73EEabhoWutzt1h++qUkhzSQRUoTIqa2DWyE/bTPGlxqKgHmur5okBn5iwcr +BijhE6d8AvBqlopxyHHIEsZ4YswvLR8VcOt//aT1ArYdrxAfyjujvimoW1+gDjsA ++Hc1wlrYW6uLgHwFIzQFOi4Yt/+hw26dlqJhO9pnK8vwpPsMnvkfHQx5A7EeZhpN +g1YIDhPEO+RSk81Gs0Y1xzJjLulncxlzprX6xmyZK/B2dQZy4XFl5K02Q7Zas++x +z70JvwOC8kDu117jb3QtersJHt09SGywCrkaU6P8+iKxPd2PEwaPWKqu4n7IpLZu +2Kg5GXO1h80fqhPSRJGbj5a6YVvfVHoRPaUL34Y4yYPxPVxjpgYR6ohhhoyURA4w ++qkhugcbYM9/wQTbwhgLc5mG62bq+WVkhehaGFOCwwADBRAAkzofRfa6dNtZC8kp +4bTmTydRCRrAAjUvCtRNL+PjB6JpTsIru/w6dR2i3TYDnUOBNkvVLUNG+Sk6fsR2 +CcEefsa4AQwRb8G33FATsewFbImSrBNT9R5hr+hR33XWxo0KAcXrucnaboidQOBK +lDD0SEC6eBexVXa4/h9qum4Qmj0u9XBBqMqEOJY/Mao5SJ8EWZV+UAszgJdmHDvq +s9+1425NuzuG9/KQzx/5wWjQmtAHikE/oFQ1RZ3hWxRpe4YmsrKQuVqwHRfIjCrB +MdBteldVr4NN0eUqfnrXgTpInXSsUstDr1/04u2Q3+spQUjJOcZ+IluPLfr12EAH +UKc9/2CT6cLmBVEl2s2PijC5EoxH3UA2KkxcxBy5LleKvF5FZ3MHbXaj2RLMLBlW +aGhlFF2H85EEmq73Ex5ncLPT4BW2rHrkwdUOOXCN8riUZr42E3K+GTyfGyRbU9Ar +MBP62ytvamwBO9O+E6sJCVraoho4a2ERORh5PQzEot1Tmyf4u6AQf1+JVMn2yThc +ilRKWD1Q/AfEAibVbPANkXXjX5pZkIRc1Eunq5afYf2ixyS96RSjc6EZ+euaaaFC +96+MdDtlycafZIXYNgiNkrrm8mzPCb2i8tmF9aPnGYBknsnFLlda3Zz4afFDKyLN +LYRvqAujonL+HBOLW2InmeD5p6SISQQYEQIACQUCSaAkIAIbDAAKCRB+hAPV1nPD +ZqpZAJ9Kw73IdA3hw+wQEen991bFlMzHfQCgtG/GMjXB246Qt9XPVvToTSFJQPo= +=2agh +-----END PGP PUBLIC KEY BLOCK-----