Add gpg verification of sources

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2024-01-09 17:46:39 +00:00 · 2024-01-09 17:46:39 +00:00 · cb4378cf14
parent e1b58db1d6
commit cb4378cf14
4 changed files with 11 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@ -2,3 +2,4 @@
 /x86_64/
 /*.src.rpm
 /qemu-*.tar.xz
+/qemu-*.tar.xz.sig
--- a/gpgkey-CEACC9E15534EBABB82D3FA03353C9CEF108B584.gpg
+++ b/gpgkey-CEACC9E15534EBABB82D3FA03353C9CEF108B584.gpg
--- a/qemu.spec
+++ b/qemu.spec
@ -367,7 +367,11 @@ Epoch: 2
 License: Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND FSFAP AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-2.0-or-later WITH GCC-exception-2.0 AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND MIT AND LicenseRef-Fedora-Public-Domain AND CC-BY-3.0
 URL: http://www.qemu.org/

-Source0: https://download.qemu.org/%{name}-%{version}%{?rcstr}.tar.xz
+%global dlurl https://download.qemu.org
+
+Source0: %{dlurl}/%{name}-%{version}%{?rcstr}.tar.xz
+Source1: %{dlurl}/https://download.qemu.org/%{name}-%{version}%{?rcstr}.tar.xz.sig
+Source2: gpgkey-CEACC9E15534EBABB82D3FA03353C9CEF108B584.gpg

 # https://patchwork.kernel.org/project/qemu-devel/patch/20231128143647.847668-1-crobinso@redhat.com/
 # Fix pvh.img ld build failure on fedora rawhide
@ -388,6 +392,7 @@ Source30: kvm-s390x.conf
 Source31: kvm-x86.conf
 Source36: README.tests

+BuildRequires: gnupg2
 BuildRequires: meson >= %{meson_version}
 BuildRequires: bison
 BuildRequires: flex
@ -1497,6 +1502,8 @@ This package provides the QEMU system emulator for Xtensa boards.


 %prep
+gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
+
 %autosetup -n qemu-%{version}%{?rcstr} -S git_am

 %global qemu_kvm_build qemu_kvm_build
@ -3128,6 +3135,7 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
 %changelog
 * Tue Jan  9 2024 Daniel P. Berrangé <berrange@redhat.com> - 8.2.0-1
 - Update to 8.2.0 release
+- Add gpg verification of source tarball

 * Sat Dec  9 2023 Richard W.M. Jones <rjones@redhat.com> - 2:8.2.0-0.3.rc2
 - Further fix for Xen 4.18
--- a/1
+++ b/1
@ -1 +1,2 @@
 SHA512 (qemu-8.2.0.tar.xz) = 92ec41196ff145cdbb98948f6b6e43214fa4b4419554a8a1927fb4527080c8212ccb703e184baf8ee0bdfa50ad7a84689e8f5a69eba1bd7bbbdfd69e3b91256c
+SHA512 (qemu-8.2.0.tar.xz.sig) = 05412219ab0ff145f56708f99bc60b378b2b9ef6fbf3c48bffd32a2952188b2ee34a798949b09d6d8fc9f2483094fa0e3b488f52f69508604747ad4e2960f302