Re: [libvirt] [libvirt-glib] spec: Add verification of the tarball GPG signature
On 04/14/2016 05:12 AM, Christophe Fergeau wrote:
This at least allows to make sure that all tarballs are signed with
the
same GPG key, and that the tarball was not corrupted between the time it
was uploaded upstream, and the time the RPM is built.
danpb-BE86EBB415104FDF.gpg is generated with:
gpg2 -v --armor --export 15104FDF | gpg2 --no-default-keyring --keyring
./danpb-BE86EBB415104FDF.gpg --import
That file wasn't committed though, was it meant to be?
---
libvirt-glib.spec.in | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libvirt-glib.spec.in b/libvirt-glib.spec.in
index 32ce4f0..3616a6e 100644
--- a/libvirt-glib.spec.in
+++ b/libvirt-glib.spec.in
@@ -28,6 +28,8 @@ Group: Development/Libraries
License: LGPLv2+
URL: http://libvirt.org/
Source0: ftp://libvirt.org/libvirt/glib/%{name}-%{version}.tar.gz
+Source1: ftp://libvirt.org/libvirt/glib/%{name}-%{version}.tar.gz.asc
+Source2: danpb-BE86EBB415104FDF.gpg
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: glib2-devel >= @GLIB2_REQUIRED@
@@ -45,6 +47,7 @@ BuildRequires: libtool
%if %{with_vala}
BuildRequires: vala-tools
%endif
+BuildRequires: gnupg2
%package devel
Group: Development/Libraries
@@ -109,6 +112,7 @@ libvirt and the glib event loop
%endif
%prep
+gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
%setup -q
%build