PR#37: Verify upstream sources with GPG - rpms/python35

rpms / python35

#37 Verify upstream sources with GPG

Merged 4 years ago by churchyard. Opened 4 years ago by churchyard.

rpms/ churchyard/python35 verify into master

Miro Hrončok • 4 years ago

606c85e

.gitignore

file modified

		`@@ -9,3 +9,4 @@`
		`/Python-3.5.8rc1.tar.xz`
		`/Python-3.5.8rc2.tar.xz`
		`/Python-3.5.8.tar.xz`
		`+ /Python-3.5.8.tar.xz.asc`

pubkeys.txt

file added

+11542

The added file is too large to be shown here, see it at: pubkeys.txt

python35.spec

file modified

+8 -4

		`@@ -79,8 +79,10 @@`
		`# ==================`
		`# Top-level metadata`
		`# ==================`
		`- Summary: Version 3.5 of the Python programming language`
		`Name: python%{pyshortver}`
		`+ Summary: Version %{pybasever} of the Python programming language`
		`+ URL: https://www.python.org/`
		`+`
		`%global general_version %{pybasever}.8`
		`#global prerel ...`
		`%global upstream_version %{general_version}%{?prerel}`
		`@@ -115,6 +117,7 @@`
		`BuildRequires: glibc-all-langpacks`
		`BuildRequires: glibc-devel`
		`BuildRequires: gmp-devel`
		`+ BuildRequires: gnupg2`
		`BuildRequires: libffi-devel`
		`BuildRequires: libGL-devel`
		`BuildRequires: libX11-devel`
		`@@ -164,7 +167,9 @@`
		`# Source code and patches`
		`# =======================`

		`- Source: http://www.python.org/ftp/python/%{general_version}/Python-%{upstream_version}.tar.xz`
		`+ Source0: %{url}ftp/python/%{general_version}/Python-%{upstream_version}.tar.xz`
		`+ Source1: %{url}ftp/python/%{general_version}/Python-%{upstream_version}.tar.xz.asc`
		`+ Source2: %{url}static/files/pubkeys.txt`

		`# Supply an RPM macro "py_byte_compile" for the python3-devel subpackage`
		`# to enable specfiles to selectively byte-compile individual files and paths`
		`@@ -421,8 +426,6 @@`
		`# Additional metadata, and subpackages`
		`# ======================================================`

		`- URL: http://www.python.org/`
		`-`
		`# We'll not provide this, on purpose`
		`# No package in Fedora shall ever depend on this`
		`# Provides: python(abi) = %%{pybasever}`
		`@@ -452,6 +455,7 @@`
		`# ======================================================`

		`%prep`
		`+ %gpgverify -k2 -s1 -d0`
		`%setup -q -n Python-%{upstream_version}`

		`%if 0%{?with_systemtap}`

sources

file modified

		`@@ -1,1 +1,2 @@`
		`SHA512 (Python-3.5.8.tar.xz) = ef36b234786a15592f69b0cd38421373e4713e314de847ebe6da4249fb09c467ba2a8d713dde355330ea0be995be4528912f71774e9418dee285ed891d2d2bd5`
		`+ SHA512 (Python-3.5.8.tar.xz.asc) = 9181d8e9fdb71eda72458b52cdf97d613c09bd58cd8dc46e3a749cffbbed28e3792d104a5234a60d0f454c8b73df7b989f4984e95a28155fa7186e6dadae8554`

churchyard commented 4 years ago

This is now a recommended thing to do:
https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification

Regardless if it adds actual security, it should prevent problems like this one:
https://mail.python.org/archives/list/python-dev@python.org/message/OYNQS2BZYABXACBRHBHV4RCEPQU5R6EP/

pkopkan commented 4 years ago

build's check for gpg is succesfull

Building target platforms: x86_64
Building for target x86_64
setting SOURCE_DATE_EPOCH=1572393600
Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.ONwQBt
+ umask 022
+ cd /builddir/build/BUILD
+ /usr/lib/rpm/redhat/gpgverify --keyring=/builddir/build/SOURCES/pubkeys.txt --signature=/builddir/build/SOURCES/Python-3.5.8.tar.xz.asc --data=/builddir/build/SOURCES/Python-3.5.8.tar.xz
gpgv: Signature made Tue Oct 29 07:32:46 2019 CET
gpgv: using RSA key 97FC712E4C024BBEA48A61ED3A5CA953F73C700D
gpgv: Good signature from "Larry Hastings larry@hastings.org"
+ cd /builddir/build/BUILD
+ rm -rf Python-3.5.8
+ /usr/bin/xz -dc /builddir/build/SOURCES/Python-3.5.8.tar.xz

diff between pubkeys from PR and from https://www.python.org/static/files/pubkeys.txt
is empty.

Pull-Request has been merged by churchyard

4 years ago