summaryrefslogtreecommitdiffstats
path: root/cgit.spec
diff options
context:
space:
mode:
authorTodd Zullinger <tmz@pobox.com>2018-08-10 23:58:45 -0400
committerTodd Zullinger <tmz@pobox.com>2018-08-11 00:06:06 -0400
commitf081e18bccdfe23ea6b903e9c4e56d2dc9d2f294 (patch)
tree957a9b536d87c9c9a9426054c3cbbaa9ac94653c /cgit.spec
parentba224e3693bdf458869ce8093dfe66239e147bb9 (diff)
downloadcgit_EL6-f081e18bccdfe23ea6b903e9c4e56d2dc9d2f294.tar.gz
verify upstream GPG signatures in %prep
Automate verification for both cgit and git tarballs. This is one less manual step for maintainers when updating a package. The GPG key for git should generally be copied from the git package: https://src.fedoraproject.org/rpms/git/raw/master/f/gpgkey-junio.asc
Diffstat (limited to 'cgit.spec')
-rw-r--r--cgit.spec47
1 files changed, 47 insertions, 0 deletions
diff --git a/cgit.spec b/cgit.spec
index 2ecc3a3..3618675 100644
--- a/cgit.spec
+++ b/cgit.spec
@@ -7,6 +7,10 @@
%global scriptdir %{_localstatedir}/www/cgi-bin
%global cgitdata %{_datadir}/%{name}
+# GPG signing key fingerprints
+%global gpg_cgit AB9942E6D4A4CFC3412620A749FC7012A5DE03AE
+%global gpg_git 96E07AF25771955980DAD10020D04E5A713660A7
+
# Disable automatic compilation of *.py files outside of python sitelib,
# the *.py files in cgit are not importable python modules
%global _python_bytecompile_extra 0
@@ -44,6 +48,26 @@ Source1: https://www.kernel.org/pub/software/scm/git/git-%{gitver}.tar.xz
Source2: cgitrc
Source3: README.SELinux
+# Jason A. Donenfeld's key is used to sign cgit releases.
+#https://www.zx2c4.com/keys/AB9942E6D4A4CFC3412620A749FC7012A5DE03AE.asc
+Source90: gpgkey-%{gpg_cgit}.asc
+
+# Junio C Hamano's key is used to sign git releases. It can be found in the
+# junio-gpg-pub tag within git.
+#
+# (Note that the tagged blob in git contains a version of the key with an
+# expired signing subkey. The subkey expiration has been extended on the
+# public keyservers, but the blob in git has not been updated.)
+#
+# https://git.kernel.org/cgit/git/git.git/tag/?h=junio-gpg-pub
+# https://git.kernel.org/cgit/git/git.git/blob/?h=junio-gpg-pub&id=7214aea37915ee2c4f6369eb9dea520aec7d855b
+# https://src.fedoraproject.org/rpms/git/raw/master/f/gpgkey-junio.asc
+Source91: gpgkey-%{gpg_git}.asc
+
+# Tarball signatures
+Source92: https://git.zx2c4.com/cgit/snapshot/%{name}-%{version}.tar.asc
+Source93: https://www.kernel.org/pub/software/scm/git/git-%{gitver}.tar.sign
+
# All supported releases use highlight version 3.
Patch0: cgit-0.9.1-highlightv3.patch
@@ -56,6 +80,7 @@ BuildRequires: highlight
BuildRequires: asciidoc
BuildRequires: gcc
+BuildRequires: gnupg2
BuildRequires: libcurl-devel
BuildRequires: openssl-devel
BuildRequires: lua-devel
@@ -83,6 +108,27 @@ Requires: webserver
Cgit is a fast web interface for git. It uses caching to increase performance.
%prep
+# Verify GPG signatures
+#
+# Create a temp dir for gpg to ensure we don't use any existing keyrings or
+# configuration
+gpghome="$(mktemp -qd)"
+# Both cgit and git sign the uncompressed tarballs. Uncompress the sources and
+# verify them using the respective signing keys
+verify_source() {
+ local src=$1 key=$2 ext=$3 tar
+ tar=${src/%.xz/}
+ xz -dc $src > $tar
+ gpg2 --dearmor --quiet --batch --yes $key >/dev/null
+ gpgv2 --homedir "$gpghome" --quiet --keyring $key.gpg $tar$ext $tar
+ rm -f $key.gpg $tar
+}
+verify_source %{SOURCE0} %{SOURCE90} .asc
+verify_source %{SOURCE1} %{SOURCE91} .sign
+rm -rf "$gpghome"
+
+# Ensure a blank line follows autosetup, el6 chokes otherwise
+# https://bugzilla.redhat.com/1310704
%autosetup -a 1 -p1
# setup the git dir
@@ -175,6 +221,7 @@ make test
%changelog
* Fri Aug 10 2018 Todd Zullinger <tmz@pobox.com> - 1.2.1-2
- use git's default, collision-detecting SHA1 implementation
+- verify upstream GPG signatures in %%prep
* Fri Aug 03 2018 Todd Zullinger <tmz@pobox.com> - 1.2.1-1
- Update to 1.2.1, fixes directory traversal vulnerability