Verify GPG signature of upstream tarball when building the package
https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures > Any detached signature file (e.g. foo.tar.gz.asc or foo.tar.gz.sig) must be > uploaded to the package lookaside cache alongside the source code, while > the keyring must be committed directly to the package SCM. Closes: https://src.fedoraproject.org/rpms/csdiff/pull-request/1
This commit is contained in:
Miro Hrončok
Kamil Dudka
parent
54d3e338e7
commit
ebd8f4efe1
|
|
@ -1 +1,2 @@
|
|||
/csdiff-*.tar.xz
|
||||
/csdiff-*.tar.xz.asc
|
||||
|
|
|
|||
|
|
@ -1,16 +0,0 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCAAdFiEEmSqW4HUFbnnNghT5hz2zdXKjezYFAmIwQ/gACgkQhz2zdXKj
|
||||
ezb1exAAhXvIQf9SIEXPrUzV4aM9wMXxrziBo1nuM9saGooaRWwiwnclYxYy7MTs
|
||||
BYM2HLnadmIae9jyKUI3IkwY8WqigcvIGDRY1yahI3i4j+tbiE8fwua/RREPqHyB
|
||||
J3LDLGbZ1gCF7tAC/9X8GHRci6mJH2AyBOZWkkmyIxbFfSKkGnrNQButr4eqeIth
|
||||
sBexEFIHKWdfxrTWLL0ZunLI+trXtugs/nUiA8RRgHI5fxU47hOvJTC+qh2UdIL0
|
||||
pMWwavCzaV9VjErvqlZVeUTejYbFyUJPkl0BWcKFX8chd0PBdbB+x/tHx1lVkW97
|
||||
P+TdGi0F24uF3DKaNk2p2EYfywZ3u3IAG3RiyJE+qYdukDiEEIIMH9SzvF+1V2/X
|
||||
5sH9wEuMvRsqe6Io4wFoN0fYvg9H/4OmFrhlm0TuA8lWtbhMaCjmVF973Y3n47jj
|
||||
YkbUPZTkYyBDnTCfLllPqZwK2Ulhb93RQJmZNrn4VxHnshO3V0EFidUiGKMDeHJ5
|
||||
ylKbx6WXlUwWQijcp5TAarePebCXe//hmE8R8ZOWBz2yw4fgY6p0njHx5/Twty5n
|
||||
tivQ1RHwc4o0sVhYyHsMd6SNXcgR7lM9bb21gI/NAXXOLmnMeAi/KKfZxz0meOG3
|
||||
BjJEdO6Hfh5BQr/9yRvpCMVV5i60h1947rk97llhaz7yg0UX6oE=
|
||||
=lYjo
|
||||
-----END PGP SIGNATURE-----
|
||||
11
csdiff.spec
11
csdiff.spec
|
|
@ -10,12 +10,16 @@
|
|||
|
||||
Name: csdiff
|
||||
Version: 2.3.0
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Summary: Non-interactive tools for processing code scan results in plain-text
|
||||
|
||||
License: GPLv3+
|
||||
URL: https://github.com/csutils/csdiff
|
||||
Source0: https://github.com/csutils/csdiff/releases/download/%{name}-%{version}/%{name}-%{version}.tar.xz
|
||||
Source1: https://github.com/csutils/csdiff/releases/download/%{name}-%{version}/%{name}-%{version}.tar.xz.asc
|
||||
# gpg --keyserver pgp.mit.edu --recv-key 992A96E075056E79CD8214F9873DB37572A37B36
|
||||
# gpg --output kdudka.pgp --armor --export kdudka@redhat.com
|
||||
Source2: kdudka.pgp
|
||||
|
||||
# the following upstream commit is needed to work with up2date csdiff/csgrep
|
||||
# https://github.com/kdudka/csmock/commit/48b09b3a
|
||||
|
|
@ -24,6 +28,7 @@ Conflicts: csmock-plugin-shellcheck <= 2.5
|
|||
BuildRequires: boost-devel
|
||||
BuildRequires: cmake
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: gnupg2
|
||||
BuildRequires: help2man
|
||||
BuildRequires: make
|
||||
|
||||
|
|
@ -65,6 +70,7 @@ code scan defect lists to find out added or fixed defects.
|
|||
%endif
|
||||
|
||||
%prep
|
||||
%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
|
||||
%setup -q
|
||||
|
||||
%build
|
||||
|
|
@ -134,6 +140,9 @@ ctest %{?_smp_mflags} --output-on-failure
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Mar 15 2022 Miro Hrončok <mhroncok@redhat.com> - 2.3.0-2
|
||||
- Verify GPG signature of upstream tarball when building the package
|
||||
|
||||
* Tue Mar 15 2022 Kamil Dudka <kdudka@redhat.com> 2.3.0-1
|
||||
- update to latest upstream release
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,52 @@
|
|||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mQINBFgjU54BEACwGTSIP9AVBahlfv/y4snLRvlU4UWWqn8bxjh/GFTVs+l8gqOD
|
||||
3dT9AhbnMWfvr94nA6dXVVx8t8akn3ybVLKeii3vOSel8ayAnIXYjtowPh/TlheO
|
||||
BSo4EcVo0IFLtiUhC0XHMngITkr6mGphzKOAjS5Kur1j09tawhWMtgeDWw9dZnvc
|
||||
mH7f03mwvFv49YYqztaKcGvWlrLjj1O18Un5euGx18L+udG3RfeWMpzinwvcv2n7
|
||||
sH45FVqH6wu/okOJkXShsD883NRlz652knvzuUZNqcc+l/uNm8FVB8hH7qvKJu7P
|
||||
v1HpNSYlLqRpAREepYxdb/KJEJ5X3EoczLHM1zugB6cRi9REQ5rt1dqS8VOn5Svw
|
||||
v4OZZUjZf/LvAB3KOl5RI40pa8zAI/ymxTZ6qZzFOp7u8XEy3GzURrYBMKJIW03Z
|
||||
E61RI+7SJKr4yeboWSfYJbV6RQJyu8X77H9L0F6O+LHoLSoHIRmkcniwEMwl5THV
|
||||
tUl9Daxgey+qNq1twLLV6vx8f8eyuPCdeP6ZhhUhOH4sAyh0oGZMHxiNhAFeyRdo
|
||||
JqTXfgqLX39jwH54eJ3Cbhndwu47glipMO1HQX1XS5Rt7LfEMCTLUGSFW1xljLOI
|
||||
8d9fExEyTzJMVIsQJoaAvPEX4cfhcAUFQLijPkt29Wvv3WsAIVFEgoLMNwARAQAB
|
||||
tB9LYW1pbCBEdWRrYSA8a2R1ZGthQHJlZGhhdC5jb20+iQJUBBMBCAA+AhsDBQsJ
|
||||
CAcCBhUICQoLAgQWAgMBAh4BAheAFiEEmSqW4HUFbnnNghT5hz2zdXKjezYFAl+1
|
||||
eU8FCQ8W87EACgkQhz2zdXKjezaYpw//UwiegIs8Xe79CERudpz7AM0BbRE6VaAU
|
||||
QP1dMsTzIUU3HqpRrRfuCLIcbbUb7lCzAmu0SShvrt1ZUY87RXZQDJFsbHneHIKb
|
||||
wIxIr6bRtwv1+I9A6bIWYDPdjgost4v2O2GdvDegdC6aDFJa6p7uYF3YqR1GvlCN
|
||||
RC0DPvoZLIaHO7q+9o9WN6pe1OBmHdkzfJue9FmJxUhXGhaFGNQ/E9ahZRWv7D4e
|
||||
3fxH8B2lqgmLGAYsbMjgiOJFxcbIWMzltIj0hJ1x3ajUdY1B6rLf6QcgXnKJIXVR
|
||||
Svp0s283PfhnCzoXvKFvBuUaXQfNsW3MnIJFJEWDuy1TzMdK44AmQp8iQTGVIajd
|
||||
2Wdmxxd54dl3GjuHPXXJZ92DG5H52cC+4TZuM4yH9gvOxwtdIafOSkvtTHYh4POF
|
||||
piqiM67UG2a8JkW7CKPGFqfrdkM+yOfU31ouHL68q3XIpkB4z1f2w6mscdW2d7AQ
|
||||
3VLpb+WCeoWRy6HrRYAJZjs78Rea8N9dSzUOI2ac2OUR9Mqp6TMXed6V+6b1ogbI
|
||||
4I0Ni8562kPFxnjiTUhrcXNroBvQUktkEXjuk5ZOG/fJaL0lN39Cq9ImznCEGuvn
|
||||
mb+sZ//kH7N5w8tTc3mK4NvQw8LkDyS5LItx1H2Gzybxsl5d0OajJpUY4PZeppjH
|
||||
rxXke/QpXHq5Ag0EWCNTngEQALkRI0PUaVE9j19uyjINlxb/3nwKHmbTChQzPJFn
|
||||
adUwbmXfChmK/vyE8XBaIFIWSJ/94W9Y1/aGPlK4my7GqkiS4q6Lf32YWBNqihvH
|
||||
mxKuIYv2+6Z8E34yRFwmbA20RpZCy7AGIg0/LACfM4Bw+DVUhTRMl2O/muKrxd/O
|
||||
/WLn30RoYG+D4+mE0xJu+XsHivx2DqvdkKO+Rzo8131ByiWOk6P37McFtYiPjEjh
|
||||
ztTBcnNjd+a3xB/XDHd1Lcs7GmBqw0X10KnxC8xSzSqGSRFYF1aJYdxhayxXGJz/
|
||||
p1Dd6mt2eT46rYUGhFWlFH7FXGsWapR8ELY42clcFgGmQ7Yps+dZ6Kx8HnEYKsIY
|
||||
ONBqjS/dTKSrOMvkCSY0CwiCjKPM5uan5lQ9GMwbEZOQ5dcEVJOiVSfneeYpEjD/
|
||||
oyapPrDefdsCD5Gvt2kSbDZSDR5GeO8epZ02hu/zMQxDayqdLTxAaDByDVTvRCnc
|
||||
BLDcpvzXVAUdjIkfzDqZlLRgZu/8oNjOpWypUEE0mQfus6fDOLrt1h/0SqcJar70
|
||||
mi0QzBlOLrksJerXygDYJus80trCJPbr5DkCy2nQdfaeUissbt4kJTBirhhMtuyZ
|
||||
bBOQ42qm5pGef74hye1dCUddlBcb/BmIecsQ5a7EegKBDoU6ZsLcs5xnPgNwJa5U
|
||||
5VstABEBAAGJAjwEGAEIACYCGwwWIQSZKpbgdQVuec2CFPmHPbN1cqN7NgUCX7V5
|
||||
agUJDxbzzAAKCRCHPbN1cqN7NiVdEACGZX+sMSfpW47ARmsg9EsWh983SafWEi4V
|
||||
Gp3bRgOM3X4hwp8iFS/jpD8iNQpiRztSAx6s0l2pirAKFiKaaHrarVrYM4lrSoau
|
||||
J1LeWeAy9jHRstk21Iu/myM8gfBdl9tOlrdv5NhD98tCdE/2hTtOLlZbYboNl+ug
|
||||
0g/3yM4KPgqXLvVpS3QBoiueTfFoSawb20lZCcDon43BGg+wS/2j7Vu9Q1Dj3fEz
|
||||
+QV4S7JvMFP6MYV2ITvj3xajXpRkuNG8s76o/u8m2PYQ77sAl+mN446Lp+bwdQeE
|
||||
s7j79i/2kk+djVDtgTGyRyDD/4drXOMtVKRpxDDp1YOl896cRP4PJWNK8oLlF8IY
|
||||
ItdhN/UijK6hZoXLyQDK/DQfmTjpGEQTzFCNW8CdwvTSjK7o6lJZtrv4R4rBJ3Sd
|
||||
kcr9rQO/uGlYblzX70iXQMKpiCb1xo3MBCUFfiq05sTNVzRNVleo9nVf0WhCgnl7
|
||||
M9Tojh31sra9IzDAy9exga8dD/tvnebYjXYmGXfQyrPAnSSTLSjAQmlNzgx8FM96
|
||||
WB+XJDJFALy/MV35XKi9c5SLE3hSPEhqrwnTQ5g3jOPrexhUZR6w0qDXVoQH/3p0
|
||||
vXqQ3yx3yrREeBOW6qhHeYk3w2z7EAg4nNovAHgd68zXE9ZfCAGfWIerZsOuhdHS
|
||||
lwvfpMesuQ==
|
||||
=XhUt
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
1
sources
1
sources
|
|
@ -1 +1,2 @@
|
|||
SHA512 (csdiff-2.3.0.tar.xz) = 6b152c11c42fae12ad52b83856a988c54d975f596edad6cfcd94b48ed9513eb3f8acc56738afc485949cd511d1147c57f9e16010551558791bb0f41c50305c1b
|
||||
SHA512 (csdiff-2.3.0.tar.xz.asc) = b6c4c2f20b22b71617c479739a6bae81e1074f7f4ea3192514b1ba14aa4202e0672e2b79a58c856f3696b809d5819232f51c54f54bebf5f4651b5581ee428ddd
|
||||
|
|
|
|||
Loading…
Reference in New Issue