From 91ffda4709772feba8cfe67fb52a0d905a784fa2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Wed, 13 Jan 2021 09:33:11 +0100
Subject: [PATCH] Verify an upstream archive signature

---
 .gitignore                                       |   1 +
 ...-F576AAAC1B0FF849792D8CB129A794FD2272BC86.gpg | Bin 0 -> 4529 bytes
 sources                                          |   1 +
 time.spec                                        |   8 +++++++-
 4 files changed, 9 insertions(+), 1 deletion(-)
 create mode 100644 gpgkey-F576AAAC1B0FF849792D8CB129A794FD2272BC86.gpg

diff --git a/.gitignore b/.gitignore
index 7b5af79..c7f3961 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 time-1.7.tar.gz
 /time-1.8.tar.gz
 /time-1.9.tar.gz
+/time-1.9.tar.gz.sig
diff --git a/gpgkey-F576AAAC1B0FF849792D8CB129A794FD2272BC86.gpg b/gpgkey-F576AAAC1B0FF849792D8CB129A794FD2272BC86.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..c17e1624260aff4dd566355b6dd34e03aa523431
GIT binary patch
literal 4529
zcmaLaRa6w*+Q4yU$f0pyXdMs<>F$;e=|-fxyOAzIx)~`+=?*FBZcw^AhVJA0p6{&p
ztncF7?VEkE*ZQyDv!65|7LsaPh8F-AVe(pta=a>EvDT)3pj)Wkf`=T^w$U?2!x)?Z
zY1YZ!quznV)L*A`b6`?AjHE<M@DH$74y>X=;uAIm;V%C5*kM9rs}Di6elZD77T9XZ
zcXl+7%iYD^PEZdw<WqRZix2T<95XnY&Pvj`xq!eL#rW-z>r`QtV@^r*i2j`bVV@LX
z!tM`NBphWXRY66j5KZD1Px9+FoB7Y<;kB-+v`W7O7zwD08igOA==aT(XkkeBaw%Ou
zn>(jztXO}1aq9+eXcm*$Qxy-AqObQ?pEL)4;_sj|gqUa{Q00U;hjkwdp5yg9Km|X;
z5j~o)IhQyilOopvi3B;2Pp|9HjU*Y%fDRsgoEasyZ;J?NuLb5gaj08_H|w&Z2_r}n
zAsz!-xt4aQ6fd=mEX8JQbMgmsL12E8)|t<lW>%#n8%R+Na-F;t*GK!Q8wXQ@D@jq|
zAYV@32WM;EvXiuN2_tJ}>D0+UP&D}dN3c()ZV{!#$eCn2pIPa7^d0%f3b21ZhoU%w
zS^0MZkP?iGdZWqG5)?+){aMc$X`t3S-0p<PPe5+3;QVrZi9~1drFUH>A<7(Uj9%yf
zXxmbm1d=j=Y~c2~u(f@e8vmWKAV{KW^PZuyX-Kd`wJQb1Y7T5DP>rxH?#QNJi^I6K
z&CiH+S`6dWQ&$VTbw&gs-~kW-wG^Vx&W2`CDSIaqdpoFrq50nj5qC=_TT2%vQxjLA
z2%r!W3jiH~78$5Mw9G_74pp>=+SuEfn>s<=?VYSG?aZNuF3^8&AfSVA=?W7cDV<tF
zb;WU>)m1tBzj5t%d^J~k=v3}C_wZ`h<NY!@nlcYC!<NObF|ENoEnYnc?v)>14L~^L
z@PDk%K>oOn6-oM<F{J$#K@CtXn_BpwgxBhwkFqVYN!1j;xVm-onu=@@J+n3?xi8CN
z4swavJW*~uHg@0J)x6;%QQDp1`Z+C4-ty}UjiI!tA}OLR6k2f;F$5HDz!Y`wmhzA9
zg~%IjH~BZMq$?fRQ`A2(FXdzJsS3b9w{&?H96Bb_#03DJ955Bt6^KZ7<*>je+hyOk
zMCk-M8;WB|!4?tYQw#93+G@8H^9+luTha;f^E92ii5TQbalRIsH(KAk`{iMH$V>zl
z1X;wuRBHog$>l2jG91Tme<%m_b9v9@zeuZ|$F)<|kl!DkjEjre%7%9bqc%o}SJ$y)
zem7mlICm)fNY7SuGea<XFwbaxFf!=~xR7L$NgPb5vIG(@@Fs?9I`a^gzbK=c-1t$|
zC2cq_651kF7{{3B&ORRFwu>oMYC8mW@*+mNm!8o>mEQAmuZndH94gq$G<zTNp?L|D
z0%c{TFqL7@5?G~lJ|#rV+=~?A5$rQ^#Mh`0VYD6x{<LY9R>!Ipa|fsdduHRjC)(T+
z+FW2NS}#j)Yk73=D_j2fA!psi@N=6_te^wp2hGa27G{z6QUwjsYCnF5z*>C|!fL7h
zUt@n2_kW$4+ZtNhFd5t1{>e-e3H&EBQ6MQIG6o0@6%m;L9fXE~3;`kn5P&ZMK*9hZ
zF#tk=bm>-7Mv8MI<H;CZ^`Fj=fge=e+>k+-?$|#6-CwLfE<ywWiD;Y&_-bgM&6lL1
zl)Z*9>h`|u)H{%vuR(j1wrwawtE`Z2D1Tv?il|>YKML)_ibav3aXZuYJsinnK7Z<D
zb7{O&XT_$cX{93OWO2r(=Ib@2Wao9<cRAOdkA78JXiL0<c*5@Nz@=dC4mko+iU*Tx
z$ujkz)pQ!bQpayRnJCO1u>ec=9n*mxK5K#DSfYYfytoKHNVnbEY_dtxqe^n4(KC9g
zdMAV6T<#$AdX*NNM1j@ZN{i40rpim5{h#TCl|dYreoQKN&V=>S$WwJaUs7o9=8UL9
z!o9!Bji4TUVMf=tYF~}3Jh2MU(T3gZxiY-4LA&Z`7rKa~(!yYsa;iF-t*-s?V6ywM
zMCA}J%Ba$GGw%A5nuPn)PXq3`nIU6`efjqSV>kQSF;L4#>_r*RX<|61=g*{8j7aV7
z<Vn%`#Ar!Z@nVyKP>Gi`F2gnTV)syPf9=~+zo@&0nKa^G-o8ie<vonMBjSQ&{4ff)
zOd>>6=tt}g(|S>!f%F`f@7rOV`1v3@xO~aRuZxg{Y!as3GZ_(@uJilc)l!=qW=gx7
zK$uBXTeH%>nv7-^p%=GT)7AQsftZiD%DX4*$rdBn0>1?&DN!09N%1&4+<wLwm&Jh|
zVGQ4QD(FyJkIpa;4T#N*Z}y0h)?&1A68bci5~|kp&&=y@hbiXFNG^v0qoTDIFt=wW
zq8&8Yva4Vo!|*@^jx+$Iui}LN{HSytRAjFzlnbWVy;ye4{)BVu8Mm;qRo2PewM^`S
zwk=~(X_(~8=DKyyC$We7X6H!8Xzy0_WMyjdTUm1>m*kW(VcH7)3Z6l7n-@7hRqc6f
z)8@k)9*=o_akbpdo$zjsery^!k>|18<sdF4540+$S1?;zp$^@d4b@+?%^q9U)g#kc
z!24Of%jH4Gd$GVdF2`x23hr`IWx3Zxl-3QHVY==R%->$!@cE!(yvQS8*RQXzo;!z8
zo~h{h;8Eo7<qSq03Cklb{aCTIvYomUZtuGiq>$^XW#iA}kZ3U0c5fJoDkD#grZC#L
zzhBHDB6L?Nog#p%qB`dKjF$Os<DGpvc&$63=Bf&BJl@7eX{JuKaSv|GS6z-L6|X<K
zZ{$=r!)?;x8N6?y{)LNVyF8U|DW07fgzt3i?Yo+LlOk~s8_u0*)UBcLP&8M8x-Cz_
z8^T8J@&wBy+F;J(5DqIXBmo{E5=El4@srRFXL+w)F2^we)i=fxAo{aFZu~mGR?s2W
z(#n`1{t4zRIs6X&XuQ?T!0nCGXq$f~<y)T6&_>oGqq%^AekeKGx#!y=a1&Y@wZUlX
zbi1g8T`NaVo`!39Y>j_+z>a$RusFH!2iw1AUIb78iRh0s)Id_q|HVnl-<)LqHz%D}
zIL|tDyc68-aDG39RPT<qX`Dale%DL1n00V>wwa2b=@R!DmS*U6i&67`k#<U{A9a0l
zxOj`hojh$fJWen1diFBt0=f1KT%YPt!uB;?!NhvCPcTpgdnr>k|3P??OjWQs;H(ZL
z4pI%She>P8ll{!z;~k0`$9cJveZTw8b`jDUB}I_$06lxzy*|wKd&3sUoxmzLm40P{
z)KPs$_6rB`6)$&b@9Fzr%kCN2SqhFWw6g=_XRy1=F`X}00ShV(pFFP33drC8Nb$AD
zH9y_gS_)Ba5${br;~2z;(1R+Y=D*C_*wxFn`VPiL@zsKSMnq>iG_BQM6v29;b5jch
z8t^iTXkSaQr>8ntN(L~wD;GW`_KgK)?^D)X1-a%-pmb*zE(6elAuj5O&k`&a4Cf|7
z_{1vC{-wWf8aAEvT9HfAZlxw9d?<Cm+jSbZsI9?e?BwYf0_xiZ+Hy6)vxC<2j}7E1
zk?iz(>Or{LXLC-?;cR(2*b@0IWZQK&%(G9fNulQ~eafbpbbRV4L%K1D%U+@fR{|dN
zCt<m+!~U<2al_(3tFNRMk&})dDr%MlP1roU-%sFgxk}sJU6pKsCE<>0*v!s^u(bJ(
zI!SO-IO-E@S#3ZYENSpTwr)O|Ov?rKT>j|2t$^jkl4Bkk#tETvKYlOz=fVHx1Qz?}
z3*E1=LXd`*0?Mh=4UH$P8jm<vjo>dw2uI|T;m8vjfZhffr(*LxYRF-`sXsnVqmq0m
zJtpJbJ!}~g7n>a&>zqysEbQ2%ao^*nmd|8uIHWfy!CnUwrQDP^2+g)6p3zU(8rAlV
z71J3vXlQZaW}>`NhPw$nQ=X<HwNl8XRK(;ga&Wnq#D=-<Z~I``C`@RbA*V_Evw&h<
zuIz(P`!N4d#4k&ditssp9?D)Zi8U>~IxcJbESD_SBcrY2XV2%8Z+v#bPn_9MHgC1c
zRHSc+W>mTkuwG?z65ZKr3}^Szb~$sLE`3xspzGw%j$S&-sldNjGObmM{aLYU_tu`<
zXj#~(+}ss|{=x;}**#Hwk7w~#O>&l%w9um7H-0##?YBZ|N7{k`%#X6MHqcRWJ8u|+
zso-;1Y#|T&E2dSA(O$QKMc;b8=-YHsr~Cjj`5~(H$L6;8FTbZ|`N?q0x)&wiKC4$W
z^ETlWaI&1a95R@NcP5)VXTtR{!}kS<G0S}|TNsvqa(L0ZIeTwqFL%stjxG12;j{rX
zUnz;xK3EDIGr))dmTNdZf%Bi%>WX<ZiLvzgaL-pUv51;O+Ib~1=xG<zP<`0@mqyfg
z5^#}|pEExq?WPyl`?qbZe8cx4JQxUGm&AuCeMz$g$f}m#R)3c~%*E@wllV6$NV@;w
z1o*!=Df^2P^eiA<r#=*k_>Vs*$UxOLSnOZEpySn(b7?jKXbf?lxP~0bau<LlDe1Bd
z-#otd<jFxY_i01&e9yKNVC<d*mSVc`RbHKI+cs5ItE?rdLb~bc9a}ry!ZiMlMF;yU
z;O?ZcHV1oq+!P-iQ*VN<Fo@}Vrl%|ssRplKMpni+NIC**+pud6Dv?LOFQ#F78i#ll
zZJ7s}5I(!c5H9!FR~gLh$d+D@48vJFtUWQesVr^)do~=;^oFayQbaupOx~mD@2O|H
z!kuz1y$dfw&6aU0)s_`|*gq)clBc@TURogjgq7a3Beq78LY1&P2tMw~gzOUH-TL0&
zHE>*5J!oMWOS?x$W<C;gxJhm4XN;aVhb6ZnqqoU<eT;SA62i|$X>3e?8TWiyMRU^^
z<hWi>|E|@gQx*fyrr0KtgIU$$Ar94bx>|R&tyu5(l3J9!fRFA(W6D5vlZA@{ZOXX^
zXe}AMZqAYsc5YjWmD|J24ZP@nBGYO($mV2+VSmuXW$vMQtJmoYqanRJct?D6LG$fn
z@G{C^KTgZdL=Ir)3pEL>B3M4k-sD1PGiXJEwb&p%v};p!=RUyp>B09n%zt8HD0He?
zO1!;Bvp;?QT10ju0Zhn~|9K}|e90f~=-*V-1lLSP8^Nz=GNFiDaEf>-30Qc!^mcEe
zgkA4bO=C6dyA}sZVn533#7OCzM9NZb<Mi2%Pb{j||13`d9ykwJzt8Yrohv?vaIytZ
z*l$>h%hzgRco6WIdYPneJl;0Wqr=bB_GagEF4vegc`Vi8iwCtKyCRiKKL_h%<BUIS
zt0kb~<x#+_TLFJI?;Fx}4N*Xq%n+FMI4LI}qLws5<T%UlSYb*FADIYzrVyp;zzwCT
zY)e%h>l4Yti7;mol4e8^LU)s_!=~^LG0^Sfdq+EKHIAtxJBC{LlTVCn(1teio7Nm}
z>_`e3Q#ChZ=Xvz6G;ASxm^A9T_r3WcnHK+@sju8sVGoH=-|Ubse3(yr%Djs^JV5^q
zUlcjkp~K9%RqDKA48i93Q3vR8&gd?hrzQq&H9J92!FnhR9uzdT>C2&gOGoeA6!hBw
zx3KruV4mXHQltaI%CGO@6Dgb965lEemG!M<zif19SNjC8ypHiRdzF=Y>WA<0Yt`>T
zW%e|<nkW;%DkJ}$S~4GJQt0ILa`ap7t`Wt`q&+Q*>oXIX06J^b4`>zy55z+cY&nk7
zx;{Pi8wy!s)s-+J`V5le>~%;z3vv0;SeJO=5b`Ezjy}*^V2^HeBy`QdUP0zqx2N+`
zR)p=E0vkCK0iP>mSUmbGg&g$NMujPl+z3QmR6h{e!EnZ=4DPb|i9lzcuJ2aWN5|BT
ll9wwlD~PFyZKuj8*O4)H?Zq2m#ii8AkS2zA0T!*me*w~spo;(i

literal 0
HcmV?d00001

diff --git a/sources b/sources
index 970e510..3a8c01e 100644
--- a/sources
+++ b/sources
@@ -1 +1,2 @@
 SHA512 (time-1.9.tar.gz) = 5c6dabbbe71e9103a47b892b86bb914c1704122d4fe7dff1e2cbd28503297163118d295077d8e062b035d673a1f91c36f8a45c7383f374fd766942b32bde4406
+SHA512 (time-1.9.tar.gz.sig) = cfcd147e237639144d9a37346ea3fce827544320faf8629d92ccea0b27b7c943de523ed54c50fdbafd4f9d77458954e335c0ea7a6462f157d12e6a5e5478beb0
diff --git a/time.spec b/time.spec
index 46db75d..32a0cac 100644
--- a/time.spec
+++ b/time.spec
@@ -40,7 +40,10 @@ Release:    13%{?dist}
 # tests/time-posix-quiet.sh:    GPLv3+
 License:    GPLv3+ and GFDL
 Url:        https://www.gnu.org/software/%{name}/
-Source:     https://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.gz
+Source0:    https://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.gz
+Source1:    https://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.gz.sig
+# Obtained from a key server
+Source2:    gpgkey-F576AAAC1B0FF849792D8CB129A794FD2272BC86.gpg
 # Fix measuring time when a clock experiences a jump, bug #1004416,
 # <http://lists.gnu.org/archive/html/bug-gnu-utils/2013-09/msg00003.html>
 Patch0:     time-1.8-Prefer-clock_gettime-CLOCK_MONOTONIC.patch
@@ -58,6 +61,7 @@ BuildRequires:  automake
 BuildRequires:  bash
 BuildRequires:  coreutils
 BuildRequires:  gcc
+BuildRequires:  gnupg2
 BuildRequires:  make
 BuildRequires:  texinfo
 # Tests
@@ -69,6 +73,7 @@ the resources used by that program while it is running, and displays
 the results.
 
 %prep
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %setup -q
 %patch0 -p1
 %patch1 -p1
@@ -98,6 +103,7 @@ rm -f $RPM_BUILD_ROOT%{_infodir}/dir
 %changelog
 * Wed Jan 13 2021 Petr Pisar <ppisar@redhat.com> - 1.9-13
 - Update URL and Source addresses (thanks to Robert Scheck)
+- Verify an upstream archive signature
 
 * Mon Nov 16 2020 Petr Pisar <ppisar@redhat.com> - 1.9-12
 - Fix a regression in closing a file descriptor if no --output was given