[libvirt] [libvirt-glib] spec: Add verification of the tarball GPG signature
Cole Robinson
crobinso at redhat.com
Thu Apr 14 14:01:27 UTC 2016
On 04/14/2016 05:12 AM, Christophe Fergeau wrote:
> This at least allows to make sure that all tarballs are signed with the
> same GPG key, and that the tarball was not corrupted between the time it
> was uploaded upstream, and the time the RPM is built.
>
> danpb-BE86EBB415104FDF.gpg is generated with:
> gpg2 -v --armor --export 15104FDF | gpg2 --no-default-keyring --keyring ./danpb-BE86EBB415104FDF.gpg --import
That file wasn't committed though, was it meant to be?
> ---
> libvirt-glib.spec.in | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/libvirt-glib.spec.in b/libvirt-glib.spec.in
> index 32ce4f0..3616a6e 100644
> --- a/libvirt-glib.spec.in
> +++ b/libvirt-glib.spec.in
> @@ -28,6 +28,8 @@ Group: Development/Libraries
> License: LGPLv2+
> URL: http://libvirt.org/
> Source0: ftp://libvirt.org/libvirt/glib/%{name}-%{version}.tar.gz
> +Source1: ftp://libvirt.org/libvirt/glib/%{name}-%{version}.tar.gz.asc
> +Source2: danpb-BE86EBB415104FDF.gpg
> BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
>
> BuildRequires: glib2-devel >= @GLIB2_REQUIRED@
> @@ -45,6 +47,7 @@ BuildRequires: libtool
> %if %{with_vala}
> BuildRequires: vala-tools
> %endif
> +BuildRequires: gnupg2
>
> %package devel
> Group: Development/Libraries
> @@ -109,6 +112,7 @@ libvirt and the glib event loop
> %endif
>
> %prep
> +gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
> %setup -q
>
> %build
>
More information about the libvir-list
mailing list