RPM %setup query

[Michel Salim]

I'm packaging zeroinstall-injector for Extras, and the upstream
tarball comes signed with GPG (the signature is not detached). The
discussion for the review seems to have reached the consensus that I
should use this as the source tarball, which leads to the following
problem:

How can I tell %setup that it needs to do gpg --decrypt on the source
(*and* ignore the error return status due to the public key not being
in the keychain), and then pipe the result to gzip and tar?

Right now I'm calling gpg manually before %setup, moved the signed
tarball out of the way, rename the unsigned tarball to the original
name, run %setup and then restore the original signed tarball to its
original name. rpmlint does not like me using %{_sourcedir} in the
spec file, though.

Should I ignore this rpmlint error? Or Would this be a special case in
which the packaged source tarball does not have to match upstream?

Any help from spec macro experts appreciated.

Thanks,

--
Michel Salim
http://www.cs.indiana.edu/~msalim
http://the-dubois-papers.blogspot.com/