diff options
author | Todd Zullinger <tmz@pobox.com> | 2021-06-05 12:30:22 -0400 |
---|---|---|
committer | Todd Zullinger <tmz@pobox.com> | 2021-06-06 16:15:25 -0400 |
commit | 416e5f4990c749bebd217b7ee4fc4e0a76df08a6 (patch) | |
tree | 112038f5e8ece7ab72e44165b1dcb8ebc4c7bd87 | |
parent | 19892e550d2bfb4241cd4cfce791ffae7cfecc42 (diff) | |
download | cgit_EL6-416e5f4990c749bebd217b7ee4fc4e0a76df08a6.tar.gz |
use %{gpgverify} macro to verify tarball signature
The macro is now available for all supported Fedora and EPEL releases.
(It is presumed that EL-9 will include %{gpgverify} as it will be
branched from F-34. If that turns out to be false, we will adjust
later.)
The Packaging Guidelines require the use of the %{gpgverify} macro:
https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures
-rw-r--r-- | cgit.spec | 34 |
1 files changed, 13 insertions, 21 deletions
@@ -83,6 +83,11 @@ BuildRequires: highlight %endif BuildRequires: asciidoc +%if 0%{?rhel} && 0%{?rhel} < 9 +# Require epel-rpm-macros for the %%gpgverify macro on EL-7/EL-8, and +# %%build_cflags / %%build_ldflags on EL-7. +BuildRequires: epel-rpm-macros +%endif BuildRequires: gcc BuildRequires: gnupg2 BuildRequires: libcurl-devel @@ -118,23 +123,8 @@ Cgit is a fast web interface for git. It uses caching to increase performance. %prep # Verify GPG signatures -# -# Create a temp dir for gpg to ensure we don't use any existing keyrings or -# configuration -gpghome="$(mktemp -qd)" -# Both cgit and git sign the uncompressed tarballs. Uncompress the sources and -# verify them using the respective signing keys -verify_source() { - local src=$1 key=$2 ext=$3 tar - tar=${src/%.xz/} - xz -dc $src > $tar - gpg2 --dearmor --quiet --batch --yes $key >/dev/null - gpgv2 --homedir "$gpghome" --quiet --keyring $key.gpg $tar$ext $tar - rm -f $key.gpg $tar -} -verify_source %{SOURCE0} %{SOURCE90} .asc -verify_source %{SOURCE1} %{SOURCE91} .sign -rm -rf "$gpghome" +xz -dc '%{SOURCE0}' | %{gpgverify} --keyring='%{SOURCE90}' --signature='%{SOURCE92}' --data=- +xz -dc '%{SOURCE1}' | %{gpgverify} --keyring='%{SOURCE91}' --signature='%{SOURCE93}' --data=- # Ensure a blank line follows autosetup, el6 chokes otherwise # https://bugzilla.redhat.com/1310704 @@ -151,8 +141,8 @@ cp -p %{SOURCE3} . # Otherwise it will rebuild in %%install due to flags changes. cat << \EOF | tee cgit.conf V = 1 -CFLAGS = %{optflags} -LDFLAGS = %{?__global_ldflags} +CFLAGS = %{build_cflags} +LDFLAGS = %{build_ldflags} CACHE_ROOT = %{cachedir} CGIT_SCRIPT_PATH = %{scriptdir} CGIT_SCRIPT_NAME = cgit @@ -166,8 +156,8 @@ EOF # git build flags cat << \EOF | tee git/config.mak V = 1 -CFLAGS = %{optflags} -LDFLAGS = %{?__global_ldflags} +CFLAGS = %{build_cflags} +LDFLAGS = %{build_ldflags} NO_EXPAT = 1 NO_PERL = 1 NO_PYTHON = 1 @@ -235,6 +225,8 @@ make test * Sat Jun 05 2021 Todd Zullinger <tmz@pobox.com> - 1.2.3-5 - include output of cgit.conf and git/config.mak in build logs - explicitly disable expat, perl, python, and tcl/tk in git build +- use %%{gpgverify} macro to verify tarball signature +- use %%{build_cflags} and %%{build_ldflags} * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.3-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild |