#6 enable GPG-based source file verification
Opened 3 months ago by fschwarz. Modified 2 months ago
rpms/ fschwarz/mesa master  into  master

file modified
+1

@@ -3,6 +3,7 @@ 

  .build*

  /mesa-*.tar.bz2

  /mesa-*.tar.xz

+ /mesa-*.tar.xz.sig

  x86_64/

  results_mesa/

  mesa-*/

file modified
+15 -1

@@ -52,7 +52,7 @@ 

  Summary:        Mesa graphics libraries

  %global ver 19.3.0

  Version:        %{lua:ver = string.gsub(rpm.expand("%{ver}"), "-", "~"); print(ver)}

- Release:        1%{?dist}

+ Release:        2%{?dist}

  License:        MIT

  URL:            http://www.mesa3d.org

  

@@ -61,6 +61,15 @@ 

  # Source1 contains email correspondence clarifying the license terms.

  # Fedora opts to ignore the optional part of clause 2 and treat that code as 2 clause BSD.

  Source1:        Mesa-MLAA-License-Clarification-Email.txt

+ Source2:        https://mesa.freedesktop.org/archive/%{name}-%{ver}.tar.xz.sig

+ # upstream does not publish its GPG keys used for signing

+ # "trust on first use" for now until

+ #    https://gitlab.freedesktop.org/mesa/mesa/issues/2140

+ # is resolved.

+ # gpg2 --keyserver pool.sks-keyservers.net --recv-key 71C4B75620BC75708B4BDB254C95FAAB3EB073EC

+ # gpg2 --export --export-options export-minimal "71C4B75620BC75708B4BDB254C95FAAB3EB073EC" > gpgkey-dylan-baker-71C4B75620BC75708B4BDB254C95FAAB3EB073EC.gpg

+ Source3:        gpgkey-dylan-baker-71C4B75620BC75708B4BDB254C95FAAB3EB073EC.gpg

+ 

  

  # https://gitlab.freedesktop.org/mesa/mesa/issues/2042

  Patch0:         fix-arm-build.patch

@@ -71,6 +80,7 @@ 

  BuildRequires:  gcc

  BuildRequires:  gcc-c++

  BuildRequires:  gettext

+ BuildRequires:  gnupg2

  

  %if 0%{?with_hardware}

  BuildRequires:  kernel-headers

@@ -324,6 +334,7 @@ 

  Headers for development with the Vulkan API.

  

  %prep

+ %{gpgverify} --keyring='%{SOURCE3}' --signature='%{SOURCE2}' --data='%{SOURCE0}'

  %autosetup -n %{name}-%{ver} -p1

  cp %{SOURCE1} docs/

  

@@ -584,6 +595,9 @@ 

  %endif

  

  %changelog

+ * Wed Dec 18 2019 Felix Schwarz <fschwarz@fedoraproject.org> - 19.3.0-2

+ - enable GPG-based source file verification

+ 

  * Mon Dec 16 2019 Pete Walter <pwalter@fedoraproject.org> - 19.3.0-1

  - Update to 19.3.0

  

file modified
+1

@@ -1,1 +1,2 @@ 

  SHA512 (mesa-19.3.0.tar.xz) = 69c4519540118fb3d50d718d92f443051c149633cf4291a07706c6d45cd6ad1f6f3b91446de2d31a9082efe9e3b4ce35b7472830e152ba655d83a91c2ed3c042

+ SHA512 (mesa-19.3.0.tar.xz.sig) = 2be06c49cd896309e6cfca95d899587b2cacadd5e57c32a9b0be50ce7e92cd3a524521facc14c41df5510a7ba92c50db70ec5ffec9d92d77bfcb568323633b6e

This ensures Fedora will not ship compromised tarballs (see also https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification).

Please note I did not upload the .sig file to the lookaside cache yet but you can get it with spectool -g mesa.spec and check its sha512sum against my modified sources file.

I also created upstream issue #2140 to verify the key IDs more easily.

rebased onto b511b8a

2 months ago

ping? Any objections?

(I rebased the commit the the latest master so it still applies cleanly.)

rebased onto bbce52b

2 months ago

ok, I rebased this one last time. It would be nice to get either a NACK or simply click on the "merge this pull request"...