From f081e18bccdfe23ea6b903e9c4e56d2dc9d2f294 Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Fri, 10 Aug 2018 23:58:45 -0400 Subject: verify upstream GPG signatures in %prep Automate verification for both cgit and git tarballs. This is one less manual step for maintainers when updating a package. The GPG key for git should generally be copied from the git package: https://src.fedoraproject.org/rpms/git/raw/master/f/gpgkey-junio.asc --- cgit.spec | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) (limited to 'cgit.spec') diff --git a/cgit.spec b/cgit.spec index 2ecc3a3..3618675 100644 --- a/cgit.spec +++ b/cgit.spec @@ -7,6 +7,10 @@ %global scriptdir %{_localstatedir}/www/cgi-bin %global cgitdata %{_datadir}/%{name} +# GPG signing key fingerprints +%global gpg_cgit AB9942E6D4A4CFC3412620A749FC7012A5DE03AE +%global gpg_git 96E07AF25771955980DAD10020D04E5A713660A7 + # Disable automatic compilation of *.py files outside of python sitelib, # the *.py files in cgit are not importable python modules %global _python_bytecompile_extra 0 @@ -44,6 +48,26 @@ Source1: https://www.kernel.org/pub/software/scm/git/git-%{gitver}.tar.xz Source2: cgitrc Source3: README.SELinux +# Jason A. Donenfeld's key is used to sign cgit releases. +#https://www.zx2c4.com/keys/AB9942E6D4A4CFC3412620A749FC7012A5DE03AE.asc +Source90: gpgkey-%{gpg_cgit}.asc + +# Junio C Hamano's key is used to sign git releases. It can be found in the +# junio-gpg-pub tag within git. +# +# (Note that the tagged blob in git contains a version of the key with an +# expired signing subkey. The subkey expiration has been extended on the +# public keyservers, but the blob in git has not been updated.) +# +# https://git.kernel.org/cgit/git/git.git/tag/?h=junio-gpg-pub +# https://git.kernel.org/cgit/git/git.git/blob/?h=junio-gpg-pub&id=7214aea37915ee2c4f6369eb9dea520aec7d855b +# https://src.fedoraproject.org/rpms/git/raw/master/f/gpgkey-junio.asc +Source91: gpgkey-%{gpg_git}.asc + +# Tarball signatures +Source92: https://git.zx2c4.com/cgit/snapshot/%{name}-%{version}.tar.asc +Source93: https://www.kernel.org/pub/software/scm/git/git-%{gitver}.tar.sign + # All supported releases use highlight version 3. Patch0: cgit-0.9.1-highlightv3.patch @@ -56,6 +80,7 @@ BuildRequires: highlight BuildRequires: asciidoc BuildRequires: gcc +BuildRequires: gnupg2 BuildRequires: libcurl-devel BuildRequires: openssl-devel BuildRequires: lua-devel @@ -83,6 +108,27 @@ Requires: webserver Cgit is a fast web interface for git. It uses caching to increase performance. %prep +# Verify GPG signatures +# +# Create a temp dir for gpg to ensure we don't use any existing keyrings or +# configuration +gpghome="$(mktemp -qd)" +# Both cgit and git sign the uncompressed tarballs. Uncompress the sources and +# verify them using the respective signing keys +verify_source() { + local src=$1 key=$2 ext=$3 tar + tar=${src/%.xz/} + xz -dc $src > $tar + gpg2 --dearmor --quiet --batch --yes $key >/dev/null + gpgv2 --homedir "$gpghome" --quiet --keyring $key.gpg $tar$ext $tar + rm -f $key.gpg $tar +} +verify_source %{SOURCE0} %{SOURCE90} .asc +verify_source %{SOURCE1} %{SOURCE91} .sign +rm -rf "$gpghome" + +# Ensure a blank line follows autosetup, el6 chokes otherwise +# https://bugzilla.redhat.com/1310704 %autosetup -a 1 -p1 # setup the git dir @@ -175,6 +221,7 @@ make test %changelog * Fri Aug 10 2018 Todd Zullinger - 1.2.1-2 - use git's default, collision-detecting SHA1 implementation +- verify upstream GPG signatures in %%prep * Fri Aug 03 2018 Todd Zullinger - 1.2.1-1 - Update to 1.2.1, fixes directory traversal vulnerability -- cgit