Verify upstream sources with GPG

This is now a recommended thing to do:
https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification

Regardless if it adds actual security, it should prevent problems like this one:
https://mail.python.org/archives/list/python-dev@python.org/message/OYNQS2BZYABXACBRHBHV4RCEPQU5R6EP/
This commit is contained in:
Miro Hrončok 2019-11-01 07:09:41 +00:00
parent e0704196d3
commit 853a0fc587
3 changed files with 11548 additions and 1 deletions

11542
pubkeys.txt Normal file

File diff suppressed because it is too large Load Diff

View File

@ -159,6 +159,7 @@ BuildRequires: gdbm-devel
BuildRequires: glibc-all-langpacks
BuildRequires: glibc-devel
BuildRequires: gmp-devel
BuildRequires: gnupg2
BuildRequires: libappstream-glib
BuildRequires: libffi-devel
BuildRequires: libnsl2-devel
@ -209,7 +210,9 @@ BuildRequires: python%{pyshortver}
# Source code and patches
# =======================
Source: https://www.python.org/ftp/python/%{general_version}/Python-%{upstream_version}.tar.xz
Source0: %{url}ftp/python/%{general_version}/Python-%{upstream_version}.tar.xz
Source1: %{url}ftp/python/%{general_version}/Python-%{upstream_version}.tar.xz.asc
Source2: %{url}static/files/pubkeys.txt
# A simple script to check timestamps of bytecode files
# Run in check section with Python that is currently being built
@ -570,6 +573,7 @@ version once Python %{pybasever} is stable.
# ======================================================
%prep
%gpgverify -k2 -s1 -d0
%setup -q -n Python-%{upstream_version}
# Remove all exe files to ensure we are not shipping prebuilt binaries
# note that those are only used to create Microsoft Windows installers

View File

@ -1 +1,2 @@
SHA512 (Python-3.8.0.tar.xz) = 5f9bfcb3acdf592770a9d5abd2c32c68c55a49b92f958ded069e3ef31cf2d415e67112b4f6738fab237dc29e5c622298719946d2e9471e7e78e3a6bdf2fac1d1
SHA512 (Python-3.8.0.tar.xz.asc) = 4741bcb9b79019f190fded565dd9851158911f1b0ba71f5972906c267ca6576ebfae7c1e649f8bd9fee6ce2cabb325ef1d85a28ab5962fc9275072d35229d06d