From 416e5f4990c749bebd217b7ee4fc4e0a76df08a6 Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Sat, 5 Jun 2021 12:30:22 -0400 Subject: use %{gpgverify} macro to verify tarball signature The macro is now available for all supported Fedora and EPEL releases. (It is presumed that EL-9 will include %{gpgverify} as it will be branched from F-34. If that turns out to be false, we will adjust later.) The Packaging Guidelines require the use of the %{gpgverify} macro: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures --- cgit.spec | 34 +++++++++++++--------------------- 1 file changed, 13 insertions(+), 21 deletions(-) (limited to 'cgit.spec') diff --git a/cgit.spec b/cgit.spec index ccd14c5..9574397 100644 --- a/cgit.spec +++ b/cgit.spec @@ -83,6 +83,11 @@ BuildRequires: highlight %endif BuildRequires: asciidoc +%if 0%{?rhel} && 0%{?rhel} < 9 +# Require epel-rpm-macros for the %%gpgverify macro on EL-7/EL-8, and +# %%build_cflags / %%build_ldflags on EL-7. +BuildRequires: epel-rpm-macros +%endif BuildRequires: gcc BuildRequires: gnupg2 BuildRequires: libcurl-devel @@ -118,23 +123,8 @@ Cgit is a fast web interface for git. It uses caching to increase performance. %prep # Verify GPG signatures -# -# Create a temp dir for gpg to ensure we don't use any existing keyrings or -# configuration -gpghome="$(mktemp -qd)" -# Both cgit and git sign the uncompressed tarballs. Uncompress the sources and -# verify them using the respective signing keys -verify_source() { - local src=$1 key=$2 ext=$3 tar - tar=${src/%.xz/} - xz -dc $src > $tar - gpg2 --dearmor --quiet --batch --yes $key >/dev/null - gpgv2 --homedir "$gpghome" --quiet --keyring $key.gpg $tar$ext $tar - rm -f $key.gpg $tar -} -verify_source %{SOURCE0} %{SOURCE90} .asc -verify_source %{SOURCE1} %{SOURCE91} .sign -rm -rf "$gpghome" +xz -dc '%{SOURCE0}' | %{gpgverify} --keyring='%{SOURCE90}' --signature='%{SOURCE92}' --data=- +xz -dc '%{SOURCE1}' | %{gpgverify} --keyring='%{SOURCE91}' --signature='%{SOURCE93}' --data=- # Ensure a blank line follows autosetup, el6 chokes otherwise # https://bugzilla.redhat.com/1310704 @@ -151,8 +141,8 @@ cp -p %{SOURCE3} . # Otherwise it will rebuild in %%install due to flags changes. cat << \EOF | tee cgit.conf V = 1 -CFLAGS = %{optflags} -LDFLAGS = %{?__global_ldflags} +CFLAGS = %{build_cflags} +LDFLAGS = %{build_ldflags} CACHE_ROOT = %{cachedir} CGIT_SCRIPT_PATH = %{scriptdir} CGIT_SCRIPT_NAME = cgit @@ -166,8 +156,8 @@ EOF # git build flags cat << \EOF | tee git/config.mak V = 1 -CFLAGS = %{optflags} -LDFLAGS = %{?__global_ldflags} +CFLAGS = %{build_cflags} +LDFLAGS = %{build_ldflags} NO_EXPAT = 1 NO_PERL = 1 NO_PYTHON = 1 @@ -235,6 +225,8 @@ make test * Sat Jun 05 2021 Todd Zullinger - 1.2.3-5 - include output of cgit.conf and git/config.mak in build logs - explicitly disable expat, perl, python, and tcl/tk in git build +- use %%{gpgverify} macro to verify tarball signature +- use %%{build_cflags} and %%{build_ldflags} * Tue Jan 26 2021 Fedora Release Engineering - 1.2.3-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild -- cgit