import redhat-rpm-config-125-1.el8

2021-05-18 02:48:30 -04:00 · 2021-05-18 02:48:30 -04:00 · a95bffd78c
parent 678b3cc9bf
commit a95bffd78c
4 changed files with 208 additions and 1 deletions
--- a/SOURCES/gpgverify
+++ b/SOURCES/gpgverify
@ -0,0 +1,111 @@
+#!/bin/bash
+
+# Copyright 2018 B. Persson, Bjorn@Rombobeorn.se
+#
+# This material is provided as is, with absolutely no warranty expressed
+# or implied. Any use is at your own risk.
+#
+# Permission is hereby granted to use or copy this shellscript
+# for any purpose, provided the above notices are retained on all copies.
+# Permission to modify the code and to distribute modified code is granted,
+# provided the above notices are retained, and a notice that the code was
+# modified is included with the above copyright notice.
+
+
+function print_help {
+    cat <<'EOF'
+Usage: gpgverify --keyring=<pathname> --signature=<pathname> --data=<pathname>
+
+gpgverify is a wrapper around gpgv designed for easy and safe scripting. It
+verifies a file against a detached OpenPGP signature and a keyring. The keyring
+shall contain all the keys that are trusted to certify the authenticity of the
+file, and must not contain any untrusted keys.
+
+The differences, compared to invoking gpgv directly, are that gpgverify accepts
+the keyring in either ASCII-armored or unarmored form, and that it will not
+accidentally use a default keyring in addition to the specified one.
+
+Parameters:
+  --keyring=<pathname>    keyring with all the trusted keys and no others
+  --signature=<pathname>  detached signature to verify
+  --data=<pathname>       file to verify against the signature
+EOF
+}
+
+
+fatal_error() {
+    message="$1"  # an error message
+    status=$2     # a number to use as the exit code
+    echo "gpgverify: $message" >&2
+    exit $status
+}
+
+
+require_parameter() {
+    term="$1"   # a term for a required parameter
+    value="$2"  # Complain and terminate if this value is empty.
+    if test -z "${value}" ; then
+        fatal_error "No ${term} was provided." 2
+    fi
+}
+
+
+check_status() {
+    action="$1"  # a string that describes the action that was attempted
+    status=$2    # the exit code of the command
+    if test $status -ne 0 ; then
+        fatal_error "$action failed." $status
+    fi
+}
+
+
+# Parse the command line.
+keyring=
+signature=
+data=
+for parameter in "$@" ; do
+    case "${parameter}" in
+        (--help)
+            print_help
+            exit
+            ;;
+        (--keyring=*)
+            keyring="${parameter#*=}"
+            ;;
+        (--signature=*)
+            signature="${parameter#*=}"
+            ;;
+        (--data=*)
+            data="${parameter#*=}"
+            ;;
+        (*)
+            fatal_error "Unknown parameter: \"${parameter}\"" 2
+            ;;
+    esac
+done
+require_parameter 'keyring' "${keyring}"
+require_parameter 'signature' "${signature}"
+require_parameter 'data file' "${data}"
+
+# Make a temporary working directory.
+workdir="$(mktemp --directory)"
+check_status 'Making a temporary directory' $?
+workring="${workdir}/keyring.gpg"
+
+# Decode any ASCII armor on the keyring. This is harmless if the keyring isn't
+# ASCII-armored.
+gpg2 --homedir="${workdir}" --yes --output="${workring}" --dearmor "${keyring}"
+check_status 'Decoding the keyring' $?
+
+# Verify the signature using the decoded keyring.
+gpgv2 --homedir="${workdir}" --keyring="${workring}" "${signature}" "${data}"
+check_status 'Signature verification' $?
+
+# (--homedir isn't actually necessary. --dearmor processes only the input file,
+# and if --keyring is used and contains a slash, then gpgv2 uses only that
+# keyring. Thus neither command will look for a default keyring, but --homedir
+# makes extra double sure that no default keyring will be touched in case
+# another version of GPG works differently.)
+
+# Clean up. (This is not done in case of an error that may need inspection.)
+rm --recursive --force ${workdir}
--- a/SOURCES/macros.fedora-misc
+++ b/SOURCES/macros.fedora-misc
@ -0,0 +1,79 @@
+# Some miscellaneous Fedora-related macros
+
+# List files matching inclusion globs, excluding files matching exclusion blogs
+# Optional parameters:
+#  – -i "<globs>" inclusion globs
+#  – -x "<globs>" exclusion globs
+# Globs are space-separated lists of shell globs. Such lists require %{quote:}
+# use for safe rpm argument passing.
+# Alternatively, set the following rpm variables before calling the macro:
+#  – “listfiles_include” inclusion globs
+#  — “listfiles_exclude” exclusion globs
+# Arguments passed to the macro without flags will be interpreted as inclusion
+# globs.
+%listfiles(i:x:) %{expand:
+%if %{lua: print(string.len(rpm.expand("%{?-i*}%{?listfiles_include}%*")))}
+  listfiles_include=$(realpath -e --relative-base=. %{?-i*} %{?listfiles_include} %* | sort -u)
+  %if  %{lua: print(string.len(rpm.expand("%{?-x*}%{?listfiles_exclude}")))}
+    while IFS= read -r finc ; do
+      realpath -qe --relative-base=. %{?-x*} %{?listfiles_exclude} \\
+        | sort -u | grep -q "${finc}" || echo "${finc}"
+    done <<< "${listfiles_include}"
+  %else
+    echo "${listfiles_include}"
+  %endif
+%endif
+}
+
+# https://github.com/rpm-software-management/rpm/issues/581
+# Write the contents of a list of rpm variables to a macro file.
+# The target file must contain the corresponding anchors.
+# For example %writevars -f myfile foo bar will replace:
+#  @@FOO@@ with the rpm evaluation of %{foo} and
+#  @@BAR@@ with the rpm evaluation of %{bar}
+# in myfile
+%writevars(f:) %{lua:
+local    fedora = require "fedora.common"
+local macrofile = rpm.expand("%{-f*}")
+local   rpmvars = {}
+for i = 1, rpm.expand("%#") do
+  table.insert(rpmvars, rpm.expand("%" .. i))
+end
+fedora.writevars(macrofile,rpmvars)
+}
+
+# gpgverify verifies signed sources. There is documentation in the script.
+%gpgverify(k:s:d:) %{lua:
+local script = rpm.expand("%{_rpmconfigdir}/redhat/gpgverify ")
+local keyring = rpm.expand("%{-k*}")
+local signature = rpm.expand("%{-s*}")
+local data = rpm.expand("%{-d*}")
+print(script)
+if keyring ~= "" then
+  print(rpm.expand("--keyring='%{SOURCE" .. keyring ..  "}' "))
+end
+if signature ~= "" then
+  print(rpm.expand("--signature='%{SOURCE" .. signature ..  "}' "))
+end
+if data ~= "" then
+  print(rpm.expand("--data='%{SOURCE" .. data ..  "}' "))
+end
+}
+
+# gpgverify verifies signed sources. There is documentation in the script.
+%gpgverify(k:s:d:) %{lua:
+local script = rpm.expand("%{_rpmconfigdir}/redhat/gpgverify ")
+local keyring = rpm.expand("%{-k*}")
+local signature = rpm.expand("%{-s*}")
+local data = rpm.expand("%{-d*}")
+print(script)
+if keyring ~= "" then
+  print(rpm.expand("--keyring='%{SOURCE" .. keyring ..  "}' "))
+end
+if signature ~= "" then
+  print(rpm.expand("--signature='%{SOURCE" .. signature ..  "}' "))
+end
+if data ~= "" then
+  print(rpm.expand("--data='%{SOURCE" .. data ..  "}' "))
+end
+}
--- a/SOURCES/macros.kernel-srpm
+++ b/SOURCES/macros.kernel-srpm
@ -0,0 +1,3 @@
+# kernel_arches lists what arches the full kernel is built for.
+
+%kernel_arches x86_64 s390x ppc64le aarch64 %{arm}
--- a/SPECS/redhat-rpm-config.spec
+++ b/SPECS/redhat-rpm-config.spec
@ -6,7 +6,7 @@

 Summary: Red Hat specific rpm configuration files
 Name: redhat-rpm-config
-Version: 123
+Version: 125
 Release: 1%{?dist}
 # No version specified.
 License: GPL+
@ -45,6 +45,8 @@ Source151: macros.kmp
 Source152: macros.vpath
 Source153: macros.forge
 Source154: macros.ldconfig
+Source155: macros.kernel-srpm
+Source156: macros.fedora-misc

 # Build policy scripts
 # this comes from https://github.com/rpm-software-management/rpm/pull/344
@ -65,6 +67,7 @@ Source400: dist.sh
 Source401: rpmsort
 Source402: symset-table
 Source403: kmodtool
+Source404: gpgverify

 # 2016-10-02 snapshots from http://git.savannah.gnu.org/gitweb/?p=config.git
 Source500: config.guess
@ -143,6 +146,7 @@ install -p -m 444 -t %{buildroot}%{rrcdir} redhat-hardened-*
 install -p -m 444 -t %{buildroot}%{rrcdir} redhat-annobin-*
 install -p -m 755 -t %{buildroot}%{rrcdir} config.*
 install -p -m 755 -t %{buildroot}%{rrcdir} dist.sh rpmsort symset-table kmodtool
+install -p -m 755 -t %{buildroot}%{rrcdir} gpgverify
 install -p -m 755 -t %{buildroot}%{rrcdir} brp-*

 install -p -m 755 -t %{buildroot}%{rrcdir} find-*
@ -168,6 +172,7 @@ install -p -m 755 %{SOURCE21} %{buildroot}%{_rpmconfigdir}/kabi.sh
 %{rrcdir}/brp-mangle-shebangs
 %{rrcdir}/brp-ldconfig
 %{rrcdir}/dist.sh
+%{rrcdir}/gpgverify
 %{rrcdir}/redhat-hardened-*
 %{rrcdir}/redhat-annobin-*
 %{rrcdir}/config.*
@ -181,6 +186,8 @@ install -p -m 755 %{SOURCE21} %{buildroot}%{_rpmconfigdir}/kabi.sh
 %{_rpmconfigdir}/macros.d/macros.forge
 %{_rpmconfigdir}/macros.d/macros.ldconfig
 %{_rpmconfigdir}/macros.d/macros.vpath
+%{_rpmconfigdir}/macros.d/macros.kernel-srpm
+%{_rpmconfigdir}/macros.d/macros.fedora-misc
 %{_rpmconfigdir}/kabi.sh
 %doc buildflags.md

@ -198,6 +205,13 @@ install -p -m 755 %{SOURCE21} %{buildroot}%{_rpmconfigdir}/kabi.sh
 %{_rpmconfigdir}/macros.d/macros.kmp

 %changelog
+* Fri Nov 27 2020 Florian Festi <ffesti@redhat.com> - 125-1
+- Add missing macros.fedora-misc file (#1874576)
+
+* Mon Nov 09 2020 Florian Festi <ffesti@redhat.com> - 124-1
+- Add macros.kernel-srpm (#1874578)
+- Added gpgverify (#1874576)
+
 * Tue Jun 16 2020 Florian Festi <ffesti@redhat.com> - 123-1
 - Update kmod.prov for better performance (#1794491)
 - Backport performance improvements for brp-mangle-shebangs (#1794779)