[libvirt] [libvirt-glib v2] spec: Add verification of the tarball GPG signature

Christophe Fergeau cfergeau at redhat.com
Mon Apr 18 11:00:23 UTC 2016


This at least allows to make sure that all tarballs are signed with the
same GPG key, and that the tarball was not corrupted between the time it
was uploaded upstream, and the time the RPM is built.

danpb-BE86EBB415104FDF.gpg is generated with:
gpg2 -v --armor --export 15104FDF | gpg2 --no-default-keyring --keyring ./danpb-BE86EBB415104FDF.gpg --import

We cannot unconditionally enable gpg signature checks as when
building from tarballs with rpmbuild -ta (for example), the needed
keyring file will no be available, so this commit checks that
BE86EBB415104FDF.gpg exists before attempting to do the check.
---
 libvirt-glib.spec.in | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

Hey, here is my attempt at addressing the issue raised with v1 (rpmbuild -ta
being broken by the change). I cannot rely on the usual test on %{fedora} and %{rhel} as
they are set when running rpmbuild on a fedora. Instead I added a test for the
existence of the keyring file. Maybe there are better ways of writing this file existence
check..

Christophe

diff --git a/libvirt-glib.spec.in b/libvirt-glib.spec.in
index 32ce4f0..02a27d5 100644
--- a/libvirt-glib.spec.in
+++ b/libvirt-glib.spec.in
@@ -1,5 +1,12 @@
 # -*- rpm-spec -*-
 
+# We cannot unconditionally enable gpg signature checks as when
+# building from tarballs with rpmbuild -ta (for example), the needed
+# keyring file will no be available
+%define gpg_keyring danpb-BE86EBB415104FDF.gpg
+%define has_gpg_keyring %(if [ -f %{gpg_keyring} ]; then echo 1; else echo 0; fi)
+%define with_gpg_check %{has_gpg_keyring}
+
 %define with_introspection 0
 %define with_python 0
 %define with_vala 0
@@ -28,6 +35,10 @@ Group: Development/Libraries
 License: LGPLv2+
 URL: http://libvirt.org/
 Source0: ftp://libvirt.org/libvirt/glib/%{name}-%{version}.tar.gz
+%if %{with_gpg_check}
+Source1: ftp://libvirt.org/libvirt/glib/%{name}-%{version}.tar.gz.asc
+Source2: %{gpg_keyring}
+%endif
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 BuildRequires: glib2-devel >= @GLIB2_REQUIRED@
@@ -45,6 +56,9 @@ BuildRequires: libtool
 %if %{with_vala}
 BuildRequires: vala-tools
 %endif
+%if %{with_gpg_check}
+BuildRequires: gnupg2
+%endif
 
 %package devel
 Group: Development/Libraries
@@ -109,6 +123,9 @@ libvirt and the glib event loop
 %endif
 
 %prep
+%if %{with_gpg_check}
+gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
+%endif
 %setup -q
 
 %build
-- 
2.5.5




More information about the libvir-list mailing list