7c63bf9
@@ -164,6 +164,7 @@
BuildRequires: glibc-all-langpacks
BuildRequires: glibc-devel
BuildRequires: gmp-devel
+ BuildRequires: gnupg2
BuildRequires: libappstream-glib
BuildRequires: libffi-devel
BuildRequires: libnsl2-devel
@@ -210,7 +211,9 @@
# Source code and patches
# =======================
- Source: https://www.python.org/ftp/python/%{general_version}/Python-%{upstream_version}.tar.xz
+ Source0: %{url}ftp/python/%{general_version}/Python-%{upstream_version}.tar.xz
+ Source1: %{url}ftp/python/%{general_version}/Python-%{upstream_version}.tar.xz.asc
+ Source2: %{url}static/files/pubkeys.txt
# A simple script to check timestamps of bytecode files
# Run in check section with Python that is currently being built
@@ -601,6 +604,7 @@
# ======================================================
%prep
+ %gpgverify -k2 -s1 -d0
%setup -q -n Python-%{upstream_version}
# Remove all exe files to ensure we are not shipping prebuilt binaries
# note that those are only used to create Microsoft Windows installers
@@ -1,1 +1,2 @@
SHA512 (Python-3.7.5.tar.xz) = f4f3879881f260f58dbb041fb0f2f210d4b70b02a739e41e50e6fea67d31855a7a29ce4ebef66bfde3d0edf54b946a48f78490f986da965357b835d4dbb3f414
+ SHA512 (Python-3.7.5.tar.xz.asc) = f06e0cf03e124ec04b0367e36c4c8a370658c257189b4ee5de5d6342d2d718ac569b8fd4db77e31c82c3a4c3a8ee3b3f1e9e29d3dfe14a630f335a856ed867bc
This is now a recommended thing to do: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification
Regardless if it adds actual security, it should prevent problems like this one: https://mail.python.org/archives/list/python-dev@python.org/message/OYNQS2BZYABXACBRHBHV4RCEPQU5R6EP/
build's check of key is succesful Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.901kut + umask 022 + cd /builddir/build/BUILD + /usr/lib/rpm/redhat/gpgverify --keyring=/builddir/build/SOURCES/pubkeys.txt --signature=/builddir/build/SOURCES/Python-3.7.5.tar.xz.asc --data=/builddir/build/SOURCES/Python-3.7.5.tar.xz gpgv: Signature made Tue Oct 15 01:17:04 2019 CEST gpgv: using RSA key 0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D gpgv: Good signature from "Ned Deily (Python release signing key) nad@python.org" gpgv: aka "Ned Deily (Python release signing key) nad@acm.org" gpgv: aka "Ned Deily nad@baybryj.net" gpgv: aka "keybase.io/nad nad@keybase.io" + cd /builddir/build/BUILD
and diff of downloaded pubkeys and pubkeys from pr is empty wget https://www.python.org/static/files/pubkeys.txt diff pubkeys.txt pubkeys.txt.1
Pull-Request has been merged by churchyard
This is now a recommended thing to do:
https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification
Regardless if it adds actual security, it should prevent problems like this one:
https://mail.python.org/archives/list/python-dev@python.org/message/OYNQS2BZYABXACBRHBHV4RCEPQU5R6EP/