rpms / csdiff

Clone
Source Code
GIT

#1 Verify GPG signature of upstream tarball when building the package
Closed 2 years ago by kdudka. Opened 2 years ago by churchyard.
rpms/ churchyard/csdiff gpg-verify  into  rawhide

file modified
+1 
@@ -1,1 +1,2 @@ 
 

  /csdiff-*.tar.xz
 

+ /csdiff-*.tar.xz.asc

file removed
-16 
@@ -1,16 +0,0 @@ 
 

- -----BEGIN PGP SIGNATURE-----
 

- 

- iQIzBAABCAAdFiEEmSqW4HUFbnnNghT5hz2zdXKjezYFAmIwQ/gACgkQhz2zdXKj
 

- ezb1exAAhXvIQf9SIEXPrUzV4aM9wMXxrziBo1nuM9saGooaRWwiwnclYxYy7MTs
 

- BYM2HLnadmIae9jyKUI3IkwY8WqigcvIGDRY1yahI3i4j+tbiE8fwua/RREPqHyB
 

- J3LDLGbZ1gCF7tAC/9X8GHRci6mJH2AyBOZWkkmyIxbFfSKkGnrNQButr4eqeIth
 

- sBexEFIHKWdfxrTWLL0ZunLI+trXtugs/nUiA8RRgHI5fxU47hOvJTC+qh2UdIL0
 

- pMWwavCzaV9VjErvqlZVeUTejYbFyUJPkl0BWcKFX8chd0PBdbB+x/tHx1lVkW97
 

- P+TdGi0F24uF3DKaNk2p2EYfywZ3u3IAG3RiyJE+qYdukDiEEIIMH9SzvF+1V2/X
 

- 5sH9wEuMvRsqe6Io4wFoN0fYvg9H/4OmFrhlm0TuA8lWtbhMaCjmVF973Y3n47jj
 

- YkbUPZTkYyBDnTCfLllPqZwK2Ulhb93RQJmZNrn4VxHnshO3V0EFidUiGKMDeHJ5
 

- ylKbx6WXlUwWQijcp5TAarePebCXe//hmE8R8ZOWBz2yw4fgY6p0njHx5/Twty5n
 

- tivQ1RHwc4o0sVhYyHsMd6SNXcgR7lM9bb21gI/NAXXOLmnMeAi/KKfZxz0meOG3
 

- BjJEdO6Hfh5BQr/9yRvpCMVV5i60h1947rk97llhaz7yg0UX6oE=
 

- =lYjo
 

- -----END PGP SIGNATURE-----

file modified
+10 -1 
@@ -10,12 +10,16 @@ 
 

  

  Name:       csdiff
 

  Version:    2.3.0
 

- Release:    1%{?dist}
 

+ Release:    2%{?dist}
 

  Summary:    Non-interactive tools for processing code scan results in plain-text
 

  

  License:    GPLv3+
 

  URL:        https://github.com/csutils/csdiff
 

  Source0:    https://github.com/csutils/csdiff/releases/download/%{name}-%{version}/%{name}-%{version}.tar.xz
 

+ Source1:    https://github.com/csutils/csdiff/releases/download/%{name}-%{version}/%{name}-%{version}.tar.xz.asc
 

+ # gpg --keyserver pgp.mit.edu --recv-key 992A96E075056E79CD8214F9873DB37572A37B36
 

+ # gpg --output kdudka.pgp --armor --export kdudka@redhat.com
 

+ Source2:    kdudka.pgp
 

  

  # the following upstream commit is needed to work with up2date csdiff/csgrep
 

  # https://github.com/kdudka/csmock/commit/48b09b3a
 
@@ -24,6 +28,7 @@ 
 

  BuildRequires: boost-devel
 

  BuildRequires: cmake
 

  BuildRequires: gcc-c++
 

+ BuildRequires: gnupg2
 

  BuildRequires: help2man
 

  BuildRequires: make
 

  
@@ -65,6 +70,7 @@ 
 

  %endif
 

  

  %prep
 

+ %gpgverify -k2 -s1 -d0
 

  %setup -q
 

  

  %build
 
@@ -134,6 +140,9 @@ 
 

  %endif
 

  

  %changelog
 

+ * Tue Mar 15 2022 Miro Hrončok <mhroncok@redhat.com> - 2.3.0-2
 

+ - Verify GPG signature of upstream tarball when building the package
 

+ 

  * Tue Mar 15 2022 Kamil Dudka <kdudka@redhat.com> 2.3.0-1
 

  - update to latest upstream release

file added
+52 
@@ -0,0 +1,52 @@ 
 

+ -----BEGIN PGP PUBLIC KEY BLOCK-----
 

+ 

+ mQINBFgjU54BEACwGTSIP9AVBahlfv/y4snLRvlU4UWWqn8bxjh/GFTVs+l8gqOD
 

+ 3dT9AhbnMWfvr94nA6dXVVx8t8akn3ybVLKeii3vOSel8ayAnIXYjtowPh/TlheO
 

+ BSo4EcVo0IFLtiUhC0XHMngITkr6mGphzKOAjS5Kur1j09tawhWMtgeDWw9dZnvc
 

+ mH7f03mwvFv49YYqztaKcGvWlrLjj1O18Un5euGx18L+udG3RfeWMpzinwvcv2n7
 

+ sH45FVqH6wu/okOJkXShsD883NRlz652knvzuUZNqcc+l/uNm8FVB8hH7qvKJu7P
 

+ v1HpNSYlLqRpAREepYxdb/KJEJ5X3EoczLHM1zugB6cRi9REQ5rt1dqS8VOn5Svw
 

+ v4OZZUjZf/LvAB3KOl5RI40pa8zAI/ymxTZ6qZzFOp7u8XEy3GzURrYBMKJIW03Z
 

+ E61RI+7SJKr4yeboWSfYJbV6RQJyu8X77H9L0F6O+LHoLSoHIRmkcniwEMwl5THV
 

+ tUl9Daxgey+qNq1twLLV6vx8f8eyuPCdeP6ZhhUhOH4sAyh0oGZMHxiNhAFeyRdo
 

+ JqTXfgqLX39jwH54eJ3Cbhndwu47glipMO1HQX1XS5Rt7LfEMCTLUGSFW1xljLOI
 

+ 8d9fExEyTzJMVIsQJoaAvPEX4cfhcAUFQLijPkt29Wvv3WsAIVFEgoLMNwARAQAB
 

+ tB9LYW1pbCBEdWRrYSA8a2R1ZGthQHJlZGhhdC5jb20+iQJUBBMBCAA+AhsDBQsJ
 

+ CAcCBhUICQoLAgQWAgMBAh4BAheAFiEEmSqW4HUFbnnNghT5hz2zdXKjezYFAl+1
 

+ eU8FCQ8W87EACgkQhz2zdXKjezaYpw//UwiegIs8Xe79CERudpz7AM0BbRE6VaAU
 

+ QP1dMsTzIUU3HqpRrRfuCLIcbbUb7lCzAmu0SShvrt1ZUY87RXZQDJFsbHneHIKb
 

+ wIxIr6bRtwv1+I9A6bIWYDPdjgost4v2O2GdvDegdC6aDFJa6p7uYF3YqR1GvlCN
 

+ RC0DPvoZLIaHO7q+9o9WN6pe1OBmHdkzfJue9FmJxUhXGhaFGNQ/E9ahZRWv7D4e
 

+ 3fxH8B2lqgmLGAYsbMjgiOJFxcbIWMzltIj0hJ1x3ajUdY1B6rLf6QcgXnKJIXVR
 

+ Svp0s283PfhnCzoXvKFvBuUaXQfNsW3MnIJFJEWDuy1TzMdK44AmQp8iQTGVIajd
 

+ 2Wdmxxd54dl3GjuHPXXJZ92DG5H52cC+4TZuM4yH9gvOxwtdIafOSkvtTHYh4POF
 

+ piqiM67UG2a8JkW7CKPGFqfrdkM+yOfU31ouHL68q3XIpkB4z1f2w6mscdW2d7AQ
 

+ 3VLpb+WCeoWRy6HrRYAJZjs78Rea8N9dSzUOI2ac2OUR9Mqp6TMXed6V+6b1ogbI
 

+ 4I0Ni8562kPFxnjiTUhrcXNroBvQUktkEXjuk5ZOG/fJaL0lN39Cq9ImznCEGuvn
 

+ mb+sZ//kH7N5w8tTc3mK4NvQw8LkDyS5LItx1H2Gzybxsl5d0OajJpUY4PZeppjH
 

+ rxXke/QpXHq5Ag0EWCNTngEQALkRI0PUaVE9j19uyjINlxb/3nwKHmbTChQzPJFn
 

+ adUwbmXfChmK/vyE8XBaIFIWSJ/94W9Y1/aGPlK4my7GqkiS4q6Lf32YWBNqihvH
 

+ mxKuIYv2+6Z8E34yRFwmbA20RpZCy7AGIg0/LACfM4Bw+DVUhTRMl2O/muKrxd/O
 

+ /WLn30RoYG+D4+mE0xJu+XsHivx2DqvdkKO+Rzo8131ByiWOk6P37McFtYiPjEjh
 

+ ztTBcnNjd+a3xB/XDHd1Lcs7GmBqw0X10KnxC8xSzSqGSRFYF1aJYdxhayxXGJz/
 

+ p1Dd6mt2eT46rYUGhFWlFH7FXGsWapR8ELY42clcFgGmQ7Yps+dZ6Kx8HnEYKsIY
 

+ ONBqjS/dTKSrOMvkCSY0CwiCjKPM5uan5lQ9GMwbEZOQ5dcEVJOiVSfneeYpEjD/
 

+ oyapPrDefdsCD5Gvt2kSbDZSDR5GeO8epZ02hu/zMQxDayqdLTxAaDByDVTvRCnc
 

+ BLDcpvzXVAUdjIkfzDqZlLRgZu/8oNjOpWypUEE0mQfus6fDOLrt1h/0SqcJar70
 

+ mi0QzBlOLrksJerXygDYJus80trCJPbr5DkCy2nQdfaeUissbt4kJTBirhhMtuyZ
 

+ bBOQ42qm5pGef74hye1dCUddlBcb/BmIecsQ5a7EegKBDoU6ZsLcs5xnPgNwJa5U
 

+ 5VstABEBAAGJAjwEGAEIACYCGwwWIQSZKpbgdQVuec2CFPmHPbN1cqN7NgUCX7V5
 

+ agUJDxbzzAAKCRCHPbN1cqN7NiVdEACGZX+sMSfpW47ARmsg9EsWh983SafWEi4V
 

+ Gp3bRgOM3X4hwp8iFS/jpD8iNQpiRztSAx6s0l2pirAKFiKaaHrarVrYM4lrSoau
 

+ J1LeWeAy9jHRstk21Iu/myM8gfBdl9tOlrdv5NhD98tCdE/2hTtOLlZbYboNl+ug
 

+ 0g/3yM4KPgqXLvVpS3QBoiueTfFoSawb20lZCcDon43BGg+wS/2j7Vu9Q1Dj3fEz
 

+ +QV4S7JvMFP6MYV2ITvj3xajXpRkuNG8s76o/u8m2PYQ77sAl+mN446Lp+bwdQeE
 

+ s7j79i/2kk+djVDtgTGyRyDD/4drXOMtVKRpxDDp1YOl896cRP4PJWNK8oLlF8IY
 

+ ItdhN/UijK6hZoXLyQDK/DQfmTjpGEQTzFCNW8CdwvTSjK7o6lJZtrv4R4rBJ3Sd
 

+ kcr9rQO/uGlYblzX70iXQMKpiCb1xo3MBCUFfiq05sTNVzRNVleo9nVf0WhCgnl7
 

+ M9Tojh31sra9IzDAy9exga8dD/tvnebYjXYmGXfQyrPAnSSTLSjAQmlNzgx8FM96
 

+ WB+XJDJFALy/MV35XKi9c5SLE3hSPEhqrwnTQ5g3jOPrexhUZR6w0qDXVoQH/3p0
 

+ vXqQ3yx3yrREeBOW6qhHeYk3w2z7EAg4nNovAHgd68zXE9ZfCAGfWIerZsOuhdHS
 

+ lwvfpMesuQ==
 

+ =XhUt
 

+ -----END PGP PUBLIC KEY BLOCK-----

file modified
+1 
@@ -1,1 +1,2 @@ 
 

  SHA512 (csdiff-2.3.0.tar.xz) = 6b152c11c42fae12ad52b83856a988c54d975f596edad6cfcd94b48ed9513eb3f8acc56738afc485949cd511d1147c57f9e16010551558791bb0f41c50305c1b
 

+ SHA512 (csdiff-2.3.0.tar.xz.asc) = b6c4c2f20b22b71617c479739a6bae81e1074f7f4ea3192514b1ba14aa4202e0672e2b79a58c856f3696b809d5819232f51c54f54bebf5f4651b5581ee428ddd

https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures

Any detached signature file (e.g. foo.tar.gz.asc or foo.tar.gz.sig) must be
uploaded to the package lookaside cache alongside the source code, while
the keyring must be committed directly to the package SCM.

 
$ fedpkg --release rawhide prep
Not downloading already downloaded csdiff-2.3.0.tar.xz
Not downloading already downloaded csdiff-2.3.0.tar.xz.asc

setting SOURCE_DATE_EPOCH=1647302400
Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.gVDlUY
+ umask 022
+ cd /home/churchyard/rpmbuild/fedora-scm/csdiff
+ /usr/lib/rpm/redhat/gpgverify --keyring=/home/churchyard/rpmbuild/fedora-scm/csdiff/kdudka.pgp --signature=/home/churchyard/rpmbuild/fedora-scm/csdiff/csdiff-2.3.0.tar.xz.asc --data=/home/churchyard/rpmbuild/fedora-scm/csdiff/csdiff-2.3.0.tar.xz
gpgv: Signature made Tue Mar 15 08:44:56 2022 CET
gpgv:                using RSA key 992A96E075056E79CD8214F9873DB37572A37B36
gpgv: Good signature from "Kamil Dudka <kdudka@redhat.com>"
+ cd /home/churchyard/rpmbuild/fedora-scm/csdiff
+ rm -rf csdiff-2.3.0
+ /usr/bin/xz -dc /home/churchyard/rpmbuild/fedora-scm/csdiff/csdiff-2.3.0.tar.xz
+ /usr/bin/tar -xof -
+ STATUS=0
+ '[' 0 -ne 0 ']'
+ cd csdiff-2.3.0
+ /usr/bin/chmod -Rf a+rX,u+w,g-w,o-w .
+ RPM_EC=0
++ jobs -p
+ exit 0

I forgot the BuildRequires, will amend.

Thanks!

Is %gpgverify -k2 -s1 -d0 the same as %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'?

Where is the macro actually documented?

What compatibility guarantees do we have for this macro?

rebased onto d15211a
2 years ago

Thanks!

Is %gpgverify -k2 -s1 -d0 the same as %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'?

Yes.

Where is the macro actually documented?

Here: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures (but the short options are omitted, feel free to replace them with the longer ones if that makes you feel safer).

What compatibility guarantees do we have for this macro?

Going forward, this should not break.

Going backward:
Edited 2 years ago by churchyard

Pull-Request has been closed by kdudka
2 years ago
Metadata
None
No Tags
Changes Summary 5
+1 -0
file changed
.gitignore
-16
file removed
csdiff-2.3.0.tar.xz.asc
+10 -1
file changed
csdiff.spec
+52
file added
kdudka.pgp
+1 -0
file changed
sources
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.