diff --git a/SOURCES/gpgverify b/SOURCES/gpgverify new file mode 100755 index 0000000..524a396 --- /dev/null +++ b/SOURCES/gpgverify @@ -0,0 +1,111 @@ +#!/bin/bash + +# Copyright 2018 B. Persson, Bjorn@Rombobeorn.se +# +# This material is provided as is, with absolutely no warranty expressed +# or implied. Any use is at your own risk. +# +# Permission is hereby granted to use or copy this shellscript +# for any purpose, provided the above notices are retained on all copies. +# Permission to modify the code and to distribute modified code is granted, +# provided the above notices are retained, and a notice that the code was +# modified is included with the above copyright notice. + + +function print_help { + cat <<'EOF' +Usage: gpgverify --keyring= --signature= --data= + +gpgverify is a wrapper around gpgv designed for easy and safe scripting. It +verifies a file against a detached OpenPGP signature and a keyring. The keyring +shall contain all the keys that are trusted to certify the authenticity of the +file, and must not contain any untrusted keys. + +The differences, compared to invoking gpgv directly, are that gpgverify accepts +the keyring in either ASCII-armored or unarmored form, and that it will not +accidentally use a default keyring in addition to the specified one. + +Parameters: + --keyring= keyring with all the trusted keys and no others + --signature= detached signature to verify + --data= file to verify against the signature +EOF +} + + +fatal_error() { + message="$1" # an error message + status=$2 # a number to use as the exit code + echo "gpgverify: $message" >&2 + exit $status +} + + +require_parameter() { + term="$1" # a term for a required parameter + value="$2" # Complain and terminate if this value is empty. + if test -z "${value}" ; then + fatal_error "No ${term} was provided." 2 + fi +} + + +check_status() { + action="$1" # a string that describes the action that was attempted + status=$2 # the exit code of the command + if test $status -ne 0 ; then + fatal_error "$action failed." $status + fi +} + + +# Parse the command line. +keyring= +signature= +data= +for parameter in "$@" ; do + case "${parameter}" in + (--help) + print_help + exit + ;; + (--keyring=*) + keyring="${parameter#*=}" + ;; + (--signature=*) + signature="${parameter#*=}" + ;; + (--data=*) + data="${parameter#*=}" + ;; + (*) + fatal_error "Unknown parameter: \"${parameter}\"" 2 + ;; + esac +done +require_parameter 'keyring' "${keyring}" +require_parameter 'signature' "${signature}" +require_parameter 'data file' "${data}" + +# Make a temporary working directory. +workdir="$(mktemp --directory)" +check_status 'Making a temporary directory' $? +workring="${workdir}/keyring.gpg" + +# Decode any ASCII armor on the keyring. This is harmless if the keyring isn't +# ASCII-armored. +gpg2 --homedir="${workdir}" --yes --output="${workring}" --dearmor "${keyring}" +check_status 'Decoding the keyring' $? + +# Verify the signature using the decoded keyring. +gpgv2 --homedir="${workdir}" --keyring="${workring}" "${signature}" "${data}" +check_status 'Signature verification' $? + +# (--homedir isn't actually necessary. --dearmor processes only the input file, +# and if --keyring is used and contains a slash, then gpgv2 uses only that +# keyring. Thus neither command will look for a default keyring, but --homedir +# makes extra double sure that no default keyring will be touched in case +# another version of GPG works differently.) + +# Clean up. (This is not done in case of an error that may need inspection.) +rm --recursive --force ${workdir} diff --git a/SOURCES/macros.kernel-srpm b/SOURCES/macros.kernel-srpm new file mode 100644 index 0000000..c7110f6 --- /dev/null +++ b/SOURCES/macros.kernel-srpm @@ -0,0 +1,3 @@ +# kernel_arches lists what arches the full kernel is built for. + +%kernel_arches x86_64 s390x ppc64le aarch64 %{arm} diff --git a/SPECS/redhat-rpm-config.spec b/SPECS/redhat-rpm-config.spec index 7f8b443..8f6ac23 100644 --- a/SPECS/redhat-rpm-config.spec +++ b/SPECS/redhat-rpm-config.spec @@ -6,7 +6,7 @@ Summary: Red Hat specific rpm configuration files Name: redhat-rpm-config -Version: 123 +Version: 124 Release: 1%{?dist} # No version specified. License: GPL+ @@ -45,6 +45,7 @@ Source151: macros.kmp Source152: macros.vpath Source153: macros.forge Source154: macros.ldconfig +Source155: macros.kernel-srpm # Build policy scripts # this comes from https://github.com/rpm-software-management/rpm/pull/344 @@ -65,6 +66,7 @@ Source400: dist.sh Source401: rpmsort Source402: symset-table Source403: kmodtool +Source404: gpgverify # 2016-10-02 snapshots from http://git.savannah.gnu.org/gitweb/?p=config.git Source500: config.guess @@ -143,6 +145,7 @@ install -p -m 444 -t %{buildroot}%{rrcdir} redhat-hardened-* install -p -m 444 -t %{buildroot}%{rrcdir} redhat-annobin-* install -p -m 755 -t %{buildroot}%{rrcdir} config.* install -p -m 755 -t %{buildroot}%{rrcdir} dist.sh rpmsort symset-table kmodtool +install -p -m 755 -t %{buildroot}%{rrcdir} gpgverify install -p -m 755 -t %{buildroot}%{rrcdir} brp-* install -p -m 755 -t %{buildroot}%{rrcdir} find-* @@ -168,6 +171,7 @@ install -p -m 755 %{SOURCE21} %{buildroot}%{_rpmconfigdir}/kabi.sh %{rrcdir}/brp-mangle-shebangs %{rrcdir}/brp-ldconfig %{rrcdir}/dist.sh +%{rrcdir}/gpgverify %{rrcdir}/redhat-hardened-* %{rrcdir}/redhat-annobin-* %{rrcdir}/config.* @@ -181,6 +185,7 @@ install -p -m 755 %{SOURCE21} %{buildroot}%{_rpmconfigdir}/kabi.sh %{_rpmconfigdir}/macros.d/macros.forge %{_rpmconfigdir}/macros.d/macros.ldconfig %{_rpmconfigdir}/macros.d/macros.vpath +%{_rpmconfigdir}/macros.d/macros.kernel-srpm %{_rpmconfigdir}/kabi.sh %doc buildflags.md @@ -198,6 +203,10 @@ install -p -m 755 %{SOURCE21} %{buildroot}%{_rpmconfigdir}/kabi.sh %{_rpmconfigdir}/macros.d/macros.kmp %changelog +* Mon Nov 09 2020 Florian Festi - 124-1 +- Add macros.kernel-srpm (#1874578) +- Added gpgverify (#1874576) + * Tue Jun 16 2020 Florian Festi - 123-1 - Update kmod.prov for better performance (#1794491) - Backport performance improvements for brp-mangle-shebangs (#1794779)