From 7f604f45f663a79ec15ac63a70fcacc8c6ca315d Mon Sep 17 00:00:00 2001
From: Michael J Gruber <mjg@fedoraproject.org>
Date: Wed, 31 Aug 2022 13:54:36 +0200
Subject: [PATCH] reenable signature verification

It was supposedly disabled in 2014 (but never implemented anyways). We
should check the signature (per guidelines), and we can, so let's do it.

The keyring is generated from gnupg.org's legacy public key block (our
tool deals with keyrings only), filtered for the relevant key of Werner
Koch only. It is expired as of today but was not at release time of the
packaged sources. Expect the keyring to change for the next release!
---
 .gitignore                                     |   1 +
 ...8692123C4065DEA5E0F3AB5249B39D24F25E3B6.gpg | Bin 0 -> 684 bytes
 npth.spec                                      |  17 ++++++++++++-----
 sources                                        |   1 +
 4 files changed, 14 insertions(+), 5 deletions(-)
 create mode 100644 gpgkey-D8692123C4065DEA5E0F3AB5249B39D24F25E3B6.gpg

diff --git a/.gitignore b/.gitignore
index d8719d1..7871b7b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,4 @@
 /npth-1.3.tar.bz2
 /npth-1.5.tar.bz2
 /npth-1.6.tar.bz2
+/npth-1.6.tar.bz2.sig
diff --git a/gpgkey-D8692123C4065DEA5E0F3AB5249B39D24F25E3B6.gpg b/gpgkey-D8692123C4065DEA5E0F3AB5249B39D24F25E3B6.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..784b32afa55aa2b96df314eb0c158d7f62295f5f
GIT binary patch
literal 684
zcmV;d0#p5&0SyFAEsKEx2mq=Y(xqS6$o=WzloxW@%#c5%J0^^=wV}HG$p9%~*sh^d
zLQTj~?-RH>#!tRBTv^;3)95f4$qhqgw1eO%S^N{*SVEu<mXv_omd<Z|90OnjlDOcG
z@W3C(8Tt7LYbC8YwDH2C-##nj7ZD8q@*PSMMO6s?KzWy75@3OBgd!<?1~<DY96AS^
zoU@9O&Yo2tfT|9^PY!a!@=!(|O)>I1aEFC|$U}o9pc7+7W7AIk+`lfU4f$p)oXtz`
zB_i0p{?bhEc-(6+lNUgKtXFM_pNOrXj8FSW34!})#m34fP&0wl5E$mo#VV@gYZhzV
z5Mz4bhM+5=Nq^j35+MK)0RRE83;+OUaAyGk000000JIiYWpZw1av)1@V`v~KWNCAB
zAaiMFDX<Ix0B3M#0ssI20001q0aXMO0SEv;0viJc3ke7Z0|EvW2m%QT3j`Jd0|5da
z0Rk6*79j-KX(1!T23_i24?49Zn>o@?CF8aQ0$vQn83hRxp;tBl3JDM-n>o@?CF8aT
znFswHs)t&N{%I+i69gw{19Z(6xRCb1TPC&hW{I}Jb1jlz=oZq^sv<HREkr|q49mff
zJU~RJsr|tVXwRl|x&teTgu<kk{_cSj!21=WK=#Y6@c+2RI%q8QK2tIaG7Y`ATHcyG
zllHqhvAetmtDhqqo&vceqAnH)<dKO~-NWVsch4`PQ{-M#-%H3~^%pI{pCk}K^1-i-
zuNaHR=>vc>Q#IK)JeOZ`cdUQJwQJ&wQ8Q6?&VIyX*v~>zL(p064{PC6KQz91n&cUa
zmAjQ(U8iyJKvfNleDekIt&)_u#-?c|^J80`7KfE$<rWz&oy^orh#hg}MkY9RYN~Ru
S1^@$RaAyFp1^@$RaAyGY2_f_V

literal 0
HcmV?d00001

diff --git a/npth.spec b/npth.spec
index 3c9606d..77cc69b 100644
--- a/npth.spec
+++ b/npth.spec
@@ -1,16 +1,19 @@
 Name:           npth
 Version:        1.6
-Release:        9%{?dist}
+Release:        10%{?dist}
 Summary:        The New GNU Portable Threads library
 License:        LGPLv2+
 URL:            https://git.gnupg.org/cgi-bin/gitweb.cgi?p=npth.git
-Source:         https://gnupg.org/ftp/gcrypt/npth/%{name}-%{version}.tar.bz2
-#Source1:        ftp://ftp.gnupg.org/gcrypt/npth/npth-%{version}.tar.bz2.sig
+Source0:        https://gnupg.org/ftp/gcrypt/npth/%{name}-%{version}.tar.bz2
+Source1:        https://gnupg.org/ftp/gcrypt/npth/%{name}-%{version}.tar.bz2.sig
+# Keyring generated from https://gnupg.org/devel/old-signature-keys.asc
+Source2:        gpgkey-D8692123C4065DEA5E0F3AB5249B39D24F25E3B6.gpg
 # Manual page is re-used and changed pth-config.1 from pth-devel package
-Source2:        npth-config.1
+Source3:        npth-config.1
 
 BuildRequires:  make
 BuildRequires:  gcc
+BuildRequires:  gnupg2
 
 %description
 nPth is a non-preemptive threads implementation using an API very similar
@@ -28,6 +31,7 @@ This package contains libraries and header files for
 developing applications that use %{name}.
 
 %prep
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %autosetup
 
 %build
@@ -36,7 +40,7 @@ developing applications that use %{name}.
 
 %install
 %make_install
-install -Dpm0644 -t %{buildroot}%{_mandir}/man1 %{S:2}
+install -Dpm0644 -t %{buildroot}%{_mandir}/man1 %{S:3}
 find %{buildroot} -name '*.la' -delete -print
 
 %check
@@ -57,6 +61,9 @@ make check
 %{_datadir}/aclocal/%{name}.m4
 
 %changelog
+* Wed Aug 31 2022 Michael J Gruber <mjg@fedoraproject.org> - 1.6-10
+- reenable signature verification
+
 * Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.6-9
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
 
diff --git a/sources b/sources
index 46af25d..6f6c4b4 100644
--- a/sources
+++ b/sources
@@ -1 +1,2 @@
 SHA512 (npth-1.6.tar.bz2) = 2ed1012e14a9d10665420b9a23628be7e206fd9348111ec751349b93557ee69f1176bcf7e6b195b35b1c44a5e0e81ee33b713f03d79a33d1ecd9037035afeda2
+SHA512 (npth-1.6.tar.bz2.sig) = 9f466a94b686ec07b5acac7844a1a116059998c8dc00ca6761557706e7529a9b62322d23ce0c25d3379f67168ca62c3b720d6090eb1174b5352a018ea1b900c2