#3 use GPG source file verification
Closed 2 months ago by elyscape. Opened 2 months ago by fschwarz.
rpms/ fschwarz/python-acme master  into  master

empty or binary file added
file modified
+12 -2

@@ -16,11 +16,16 @@ 

  

  Name:           python-acme

  Version:        0.39.0

- Release:        1%{?dist}

+ Release:        2%{?dist}

  Summary:        Python library for the ACME protocol

  License:        ASL 2.0

  URL:            https://pypi.python.org/pypi/acme

- Source0:        https://files.pythonhosted.org/packages/source/a/%{srcname}/%{srcname}-%{version}.tar.gz

+ Source0:        %pypi_source

+ Source1:        %{pypi_source}.asc

+ # key mentioned in docs https://certbot.eff.org/docs/install.html#certbot-auto

+ # gpg2 --keyserver pool.sks-keyservers.net --recv-key A2CFB51FA275A7286234E7B24D17C995CD9775F2

+ # gpg2 --export --export-options export-minimal A2CFB51FA275A7286234E7B24D17C995CD9775F2 > gpg-A2CFB51FA275A7286234E7B24D17C995CD9775F2.gpg

+ Source2:        gpg-A2CFB51FA275A7286234E7B24D17C995CD9775F2.gpg

  

  # When running tests argparse is not recognised as provided by core

  

@@ -28,6 +33,7 @@ 

  Patch0:         epel7-setup.patch

  %endif

  

+ BuildRequires:  gnupg2

  %if %{with python2}

  BuildRequires:  python2-devel

  BuildRequires:  python2-sphinx

@@ -162,6 +168,7 @@ 

  %endif

  

  %prep

+ %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'

  %autosetup -p1 -n %{srcname}-%{version}

  

  

@@ -231,6 +238,9 @@ 

  %endif

  

  %changelog

+ * Thu Nov 21 2019 Felix Schwarz <fschwarz@fedoraproject.org> 0.39.0-2

+ - use GPG source file verification

+ 

  * Tue Oct 01 2019 Eli Young <elyscape@gmail.com> - 0.39.0-1

  - Update to 0.39.0 (#1757606)

  

file modified
+1

@@ -1,1 +1,2 @@ 

  SHA512 (acme-0.39.0.tar.gz) = 1a59fd4a7dce6c5eb0564a1fb8f6b39b88fccaf3c4a03949b391862a9a937ccc8f81dc99b347a343c73834d006e05b515bfe1daa3f24fd6caa8c0fd8100293b4

+ SHA512 (acme-0.39.0.tar.gz.asc) = da15b67f9cb78c673b5e61da4343dbc3b361e801f082ee7a32ac5ab9b3cebed121a8c064d4eed87e7ebdc9e22b848623cba24b633c87cb3c7655d4c3023aba83

source files will be verified automatically as recommended by packaging policy:
https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification

ping?

If you don't feel confident enough to update to 0.40.0 this PR should be pretty simple to check:
- fedprep prep (check that GPG verification shows up in stdout)
- spectool -g python-acme.spec to ensure they key is actually at the given HTTPS address
- inspect the key if you like
- fedpkg new-sources acme-0.39.0.tar.gz.asc

@fschwarz Apologies for the delay on this. I'll be taking a look shortly.

This looks good. I won't be merging it just yet, as I'm going to want to make similar changes to the numerous other certbot packages when I do. Thanks for your work on this.

btw: if you want to merge this (as opposed to redoing it yourself) better do it before adding other changes so you don't generate changelog conflicts (no need to push out a build). Anyway: Looking forward to a new certbot + EPEL8.

GPG signature validation pulled in manually.

Pull-Request has been closed by elyscape

2 months ago