PR#38: Verify upstream sources with GPG - rpms/python37

rpms / python37

#38 Verify upstream sources with GPG

Merged 4 years ago by churchyard. Opened 4 years ago by churchyard.

rpms/ churchyard/python37 verify into master

Verify upstream sources with GPG

Miro Hrončok • 4 years ago

7c63bf9

pubkeys.txt

file added

+11542

The added file is too large to be shown here, see it at: pubkeys.txt

python37.spec

file modified

+5 -1

		`@@ -164,6 +164,7 @@`
		`BuildRequires: glibc-all-langpacks`
		`BuildRequires: glibc-devel`
		`BuildRequires: gmp-devel`
		`+ BuildRequires: gnupg2`
		`BuildRequires: libappstream-glib`
		`BuildRequires: libffi-devel`
		`BuildRequires: libnsl2-devel`
		`@@ -210,7 +211,9 @@`
		`# Source code and patches`
		`# =======================`

		`- Source: https://www.python.org/ftp/python/%{general_version}/Python-%{upstream_version}.tar.xz`
		`+ Source0: %{url}ftp/python/%{general_version}/Python-%{upstream_version}.tar.xz`
		`+ Source1: %{url}ftp/python/%{general_version}/Python-%{upstream_version}.tar.xz.asc`
		`+ Source2: %{url}static/files/pubkeys.txt`

		`# A simple script to check timestamps of bytecode files`
		`# Run in check section with Python that is currently being built`
		`@@ -601,6 +604,7 @@`
		`# ======================================================`

		`%prep`
		`+ %gpgverify -k2 -s1 -d0`
		`%setup -q -n Python-%{upstream_version}`
		`# Remove all exe files to ensure we are not shipping prebuilt binaries`
		`# note that those are only used to create Microsoft Windows installers`

sources

file modified

		`@@ -1,1 +1,2 @@`
		`SHA512 (Python-3.7.5.tar.xz) = f4f3879881f260f58dbb041fb0f2f210d4b70b02a739e41e50e6fea67d31855a7a29ce4ebef66bfde3d0edf54b946a48f78490f986da965357b835d4dbb3f414`
		`+ SHA512 (Python-3.7.5.tar.xz.asc) = f06e0cf03e124ec04b0367e36c4c8a370658c257189b4ee5de5d6342d2d718ac569b8fd4db77e31c82c3a4c3a8ee3b3f1e9e29d3dfe14a630f335a856ed867bc`

churchyard commented 4 years ago

This is now a recommended thing to do:
https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification

Regardless if it adds actual security, it should prevent problems like this one:
https://mail.python.org/archives/list/python-dev@python.org/message/OYNQS2BZYABXACBRHBHV4RCEPQU5R6EP/

pkopkan commented 4 years ago

build's check of key is succesful
Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.901kut
+ umask 022
+ cd /builddir/build/BUILD
+ /usr/lib/rpm/redhat/gpgverify --keyring=/builddir/build/SOURCES/pubkeys.txt --signature=/builddir/build/SOURCES/Python-3.7.5.tar.xz.asc --data=/builddir/build/SOURCES/Python-3.7.5.tar.xz
gpgv: Signature made Tue Oct 15 01:17:04 2019 CEST
gpgv: using RSA key 0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D
gpgv: Good signature from "Ned Deily (Python release signing key) nad@python.org"
gpgv: aka "Ned Deily (Python release signing key) nad@acm.org"
gpgv: aka "Ned Deily nad@baybryj.net"
gpgv: aka "keybase.io/nad nad@keybase.io"
+ cd /builddir/build/BUILD