From 7f604f45f663a79ec15ac63a70fcacc8c6ca315d Mon Sep 17 00:00:00 2001
From: Michael J Gruber <mjg@fedoraproject.org>
Date: Aug 31 2022 12:01:07 +0000
Subject: reenable signature verification


It was supposedly disabled in 2014 (but never implemented anyways). We
should check the signature (per guidelines), and we can, so let's do it.

The keyring is generated from gnupg.org's legacy public key block (our
tool deals with keyrings only), filtered for the relevant key of Werner
Koch only. It is expired as of today but was not at release time of the
packaged sources. Expect the keyring to change for the next release!

---

diff --git a/.gitignore b/.gitignore
index d8719d1..7871b7b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,4 @@
 /npth-1.3.tar.bz2
 /npth-1.5.tar.bz2
 /npth-1.6.tar.bz2
+/npth-1.6.tar.bz2.sig
diff --git a/gpgkey-D8692123C4065DEA5E0F3AB5249B39D24F25E3B6.gpg b/gpgkey-D8692123C4065DEA5E0F3AB5249B39D24F25E3B6.gpg
new file mode 100644
index 0000000..784b32a
Binary files /dev/null and b/gpgkey-D8692123C4065DEA5E0F3AB5249B39D24F25E3B6.gpg differ
diff --git a/npth.spec b/npth.spec
index 3c9606d..77cc69b 100644
--- a/npth.spec
+++ b/npth.spec
@@ -1,16 +1,19 @@
 Name:           npth
 Version:        1.6
-Release:        9%{?dist}
+Release:        10%{?dist}
 Summary:        The New GNU Portable Threads library
 License:        LGPLv2+
 URL:            https://git.gnupg.org/cgi-bin/gitweb.cgi?p=npth.git
-Source:         https://gnupg.org/ftp/gcrypt/npth/%{name}-%{version}.tar.bz2
-#Source1:        ftp://ftp.gnupg.org/gcrypt/npth/npth-%{version}.tar.bz2.sig
+Source0:        https://gnupg.org/ftp/gcrypt/npth/%{name}-%{version}.tar.bz2
+Source1:        https://gnupg.org/ftp/gcrypt/npth/%{name}-%{version}.tar.bz2.sig
+# Keyring generated from https://gnupg.org/devel/old-signature-keys.asc
+Source2:        gpgkey-D8692123C4065DEA5E0F3AB5249B39D24F25E3B6.gpg
 # Manual page is re-used and changed pth-config.1 from pth-devel package
-Source2:        npth-config.1
+Source3:        npth-config.1
 
 BuildRequires:  make
 BuildRequires:  gcc
+BuildRequires:  gnupg2
 
 %description
 nPth is a non-preemptive threads implementation using an API very similar
@@ -28,6 +31,7 @@ This package contains libraries and header files for
 developing applications that use %{name}.
 
 %prep
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %autosetup
 
 %build
@@ -36,7 +40,7 @@ developing applications that use %{name}.
 
 %install
 %make_install
-install -Dpm0644 -t %{buildroot}%{_mandir}/man1 %{S:2}
+install -Dpm0644 -t %{buildroot}%{_mandir}/man1 %{S:3}
 find %{buildroot} -name '*.la' -delete -print
 
 %check
@@ -57,6 +61,9 @@ make check
 %{_datadir}/aclocal/%{name}.m4
 
 %changelog
+* Wed Aug 31 2022 Michael J Gruber <mjg@fedoraproject.org> - 1.6-10
+- reenable signature verification
+
 * Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.6-9
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
 
diff --git a/sources b/sources
index 46af25d..6f6c4b4 100644
--- a/sources
+++ b/sources
@@ -1 +1,2 @@
 SHA512 (npth-1.6.tar.bz2) = 2ed1012e14a9d10665420b9a23628be7e206fd9348111ec751349b93557ee69f1176bcf7e6b195b35b1c44a5e0e81ee33b713f03d79a33d1ecd9037035afeda2
+SHA512 (npth-1.6.tar.bz2.sig) = 9f466a94b686ec07b5acac7844a1a116059998c8dc00ca6761557706e7529a9b62322d23ce0c25d3379f67168ca62c3b720d6090eb1174b5352a018ea1b900c2