From 57b849212d845c4915541582feb0cc3dfbcc0459 Mon Sep 17 00:00:00 2001 From: Benjamin A. Beasley Date: Feb 20 2021 13:45:22 +0000 Subject: Verify source with new strong signatures from upstream --- diff --git a/.gitignore b/.gitignore index f235235..56e8747 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,4 @@ cairomm-1.9.1.tar.gz /cairomm-1.14.2.tar.xz /cairomm-1.14.2.tar.xz.sha1 /cairomm-1.14.2.tar.xz.sha1.asc +/cairomm-1.14.2.tar.xz.asc diff --git a/cairomm.spec b/cairomm.spec index dfa0b05..4322e92 100644 --- a/cairomm.spec +++ b/cairomm.spec @@ -9,22 +9,18 @@ Name: cairomm Summary: C++ API for the cairo graphics library Version: 1.14.2 -Release: 7%{?dist} +Release: 8%{?dist} URL: https://www.cairographics.org License: LGPLv2+ %global src_base https://www.cairographics.org/releases Source0: %{src_base}/%{name}-%{version}.tar.xz -# The complete set of authorized GPG signing keys is not published -# (https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/331), and -# the signature is over a cryptographically-weak SHA1 checksum file -# (https://gitlab.freedesktop.org/cairo/cairo/-/issues/458), as initially -# reported in https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25. -# However, we are able to verify the signature (of the weak SHA1 checksum) -# using the key for Kjell Ahlstedt from +# No keyring with authorized GPG signing keys is published +# (https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/331), but we +# are able to verify the signature using the key for Kjell Ahlstedt from # https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/290. -Source1: %{src_base}/cairomm-%{version}.tar.xz.sha1.asc +Source1: %{src_base}/cairomm-%{version}.tar.xz.asc Source2: https://gitlab.freedesktop.org/freedesktop/freedesktop/uploads/0ac64e9582659f70a719d59fb02cd037/gpg_key.pub BuildRequires: gnupg2 @@ -107,27 +103,17 @@ The API/ABI version series is %{apiver}. %prep -# https://gitlab.freedesktop.org/cairo/cairomm/-/issues/25 -# The .sha1.asc file in %%{SOURCE2} is a signed-but-not-encrypted copy of the -# corresponding .sha1 file; see the description of the --sign option in -# https://access.redhat.com/solutions/1541303. We “decrypt it” using the -# signer’s public key from %%{SOURCE3} to obtain a verified copy of the .sha1 -# file. To do so, we must first import the public key into a keyring; see -# /usr/lib/rpm/redhat/gpgverify, which is the implementation of the %%gpgverify -# macro, although we cannot use that macro due to the unconventional signing -# scheme. +# Import developer’s public GPG key to a keyring that we can use for signature +# verification. workdir="$(mktemp --directory)" -workring="${workdir}/keyring.gpg" -gpg2 --homedir="${workdir}" --yes --no-default-keyring \ - --keyring "${workring}" --import '%{SOURCE2}' -gpg2 --homedir="${workdir}" --keyring "${workring}" --decrypt '%{SOURCE1}' \ - > "${workdir}/%{name}.sha1" -pushd "${workdir}" -ln -s '%{SOURCE0}' -sha1sum -c %{name}.sha1 -popd +gpg2 --homedir="${workdir}" --yes --import '%{SOURCE2}' +gpg2 --homedir="${workdir}" --export --export-options export-minimal \ + > %{name}.gpg rm -rf "${workdir}" +%{gpgverify} \ + --keyring='%{name}.gpg' --signature='%{SOURCE1}' --data='%{SOURCE0}' + %autosetup # We must remove the jQuery/jQueryUI bundle with precompiled/minified/bundled # JavaScript that is in untracked/docs/reference/html/jquery.js, since such @@ -185,6 +171,9 @@ cp -rp examples %{buildroot}%{_datadir}/doc/%{name}-%{apiver}/ %changelog +* Sat Feb 20 2021 Benjamin A. Beasley - 1.14.2-8 +- Verify source with new strong signatures from upstream + * Thu Feb 18 2021 Benjamin A. Beasley - 1.14.2-7 - Working (but weak, dependent on SHA1) source signature verification - Added API/ABI version to descriptions diff --git a/sources b/sources index 19e0058..fca27ae 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (cairomm-1.14.2.tar.xz) = aef374fca25ad22770407e36512046b266d71ebeccd47fb629cfbf2f67783aa314bb335b972088a88d98417a4774d6f144cd2769c452f8aa23770eae08dca592 -SHA512 (cairomm-1.14.2.tar.xz.sha1.asc) = 992f2ab7be68ce7570ba49efa40cc12cc2d2ed13983127892f1335401a184f3cb35e1a4b422d7ff0d234a0085bbc0dac9c84f183133f40ac47e668fb6d21f3c6 +SHA512 (cairomm-1.14.2.tar.xz.asc) = b2b9c79d4fb2b43f30599a1bcb5138bf375962728e173514a2ee8b69bed2e7a78a8a4818258e0aec0138c953597f3e6cf83cd3b99b3e3a1538afcc0c23f6a7c1