reenable signature verification

It was supposedly disabled in 2014 (but never implemented anyways). We should check the signature (per guidelines), and we can, so let's do it. The keyring is generated from gnupg.org's legacy public key block (our tool deals with keyrings only), filtered for the relevant key of Werner Koch only. It is expired as of today but was not at release time of the packaged sources. Expect the keyring to change for the next release!
2022-08-31 13:54:36 +02:00 · 2022-08-31 13:54:36 +02:00 · 7f604f45f6
commit 7f604f45f6
parent 0324f9b918
4 changed files with 14 additions and 5 deletions
--- a/.gitignore
+++ b/.gitignore
@ -5,3 +5,4 @@
 /npth-1.3.tar.bz2
 /npth-1.5.tar.bz2
 /npth-1.6.tar.bz2
+/npth-1.6.tar.bz2.sig
--- a/gpgkey-D8692123C4065DEA5E0F3AB5249B39D24F25E3B6.gpg
+++ b/gpgkey-D8692123C4065DEA5E0F3AB5249B39D24F25E3B6.gpg
--- a/npth.spec
+++ b/npth.spec
@ -1,16 +1,19 @@
 Name:           npth
 Version:        1.6
-Release:        9%{?dist}
+Release:        10%{?dist}
 Summary:        The New GNU Portable Threads library
 License:        LGPLv2+
 URL:            https://git.gnupg.org/cgi-bin/gitweb.cgi?p=npth.git
-Source:         https://gnupg.org/ftp/gcrypt/npth/%{name}-%{version}.tar.bz2
-#Source1:        ftp://ftp.gnupg.org/gcrypt/npth/npth-%{version}.tar.bz2.sig
+Source0:        https://gnupg.org/ftp/gcrypt/npth/%{name}-%{version}.tar.bz2
+Source1:        https://gnupg.org/ftp/gcrypt/npth/%{name}-%{version}.tar.bz2.sig
+# Keyring generated from https://gnupg.org/devel/old-signature-keys.asc
+Source2:        gpgkey-D8692123C4065DEA5E0F3AB5249B39D24F25E3B6.gpg
 # Manual page is re-used and changed pth-config.1 from pth-devel package
-Source2:        npth-config.1
+Source3:        npth-config.1

 BuildRequires:  make
 BuildRequires:  gcc
+BuildRequires:  gnupg2

 %description
 nPth is a non-preemptive threads implementation using an API very similar
@ -28,6 +31,7 @@ This package contains libraries and header files for
 developing applications that use %{name}.

 %prep
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %autosetup

 %build
@ -36,7 +40,7 @@ developing applications that use %{name}.

 %install
 %make_install
-install -Dpm0644 -t %{buildroot}%{_mandir}/man1 %{S:2}
+install -Dpm0644 -t %{buildroot}%{_mandir}/man1 %{S:3}
 find %{buildroot} -name '*.la' -delete -print

 %check
@ -57,6 +61,9 @@ make check
 %{_datadir}/aclocal/%{name}.m4

 %changelog
+* Wed Aug 31 2022 Michael J Gruber <mjg@fedoraproject.org> - 1.6-10
+- reenable signature verification
+
 * Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.6-9
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild

--- a/1
+++ b/1
@ -1 +1,2 @@
 SHA512 (npth-1.6.tar.bz2) = 2ed1012e14a9d10665420b9a23628be7e206fd9348111ec751349b93557ee69f1176bcf7e6b195b35b1c44a5e0e81ee33b713f03d79a33d1ecd9037035afeda2
+SHA512 (npth-1.6.tar.bz2.sig) = 9f466a94b686ec07b5acac7844a1a116059998c8dc00ca6761557706e7529a9b62322d23ce0c25d3379f67168ca62c3b720d6090eb1174b5352a018ea1b900c2