[libvirt] [libvirt-glib] spec: Add verification of the tarball GPG signature
This at least allows to make sure that all tarballs are signed with the same GPG key, and that the tarball was not corrupted between the time it was uploaded upstream, and the time the RPM is built. danpb-BE86EBB415104FDF.gpg is generated with: gpg2 -v --armor --export 15104FDF | gpg2 --no-default-keyring --keyring ./danpb-BE86EBB415104FDF.gpg --import --- libvirt-glib.spec.in | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libvirt-glib.spec.in b/libvirt-glib.spec.in index 32ce4f0..3616a6e 100644 --- a/libvirt-glib.spec.in +++ b/libvirt-glib.spec.in @@ -28,6 +28,8 @@ Group: Development/Libraries License: LGPLv2+ URL: http://libvirt.org/ Source0: ftp://libvirt.org/libvirt/glib/%{name}-%{version}.tar.gz +Source1: ftp://libvirt.org/libvirt/glib/%{name}-%{version}.tar.gz.asc +Source2: danpb-BE86EBB415104FDF.gpg BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: glib2-devel >= @GLIB2_REQUIRED@ @@ -45,6 +47,7 @@ BuildRequires: libtool %if %{with_vala} BuildRequires: vala-tools %endif +BuildRequires: gnupg2 %package devel Group: Development/Libraries @@ -109,6 +112,7 @@ libvirt and the glib event loop %endif %prep +gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} %setup -q %build -- 2.5.5
On Thu, Apr 14, 2016 at 11:12:00AM +0200, Christophe Fergeau wrote:
This at least allows to make sure that all tarballs are signed with the same GPG key, and that the tarball was not corrupted between the time it was uploaded upstream, and the time the RPM is built.
danpb-BE86EBB415104FDF.gpg is generated with: gpg2 -v --armor --export 15104FDF | gpg2 --no-default-keyring --keyring ./danpb-BE86EBB415104FDF.gpg --import --- libvirt-glib.spec.in | 4 ++++ 1 file changed, 4 insertions(+)
ACK Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On 04/14/2016 05:12 AM, Christophe Fergeau wrote:
This at least allows to make sure that all tarballs are signed with the same GPG key, and that the tarball was not corrupted between the time it was uploaded upstream, and the time the RPM is built.
danpb-BE86EBB415104FDF.gpg is generated with: gpg2 -v --armor --export 15104FDF | gpg2 --no-default-keyring --keyring ./danpb-BE86EBB415104FDF.gpg --import
That file wasn't committed though, was it meant to be?
--- libvirt-glib.spec.in | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/libvirt-glib.spec.in b/libvirt-glib.spec.in index 32ce4f0..3616a6e 100644 --- a/libvirt-glib.spec.in +++ b/libvirt-glib.spec.in @@ -28,6 +28,8 @@ Group: Development/Libraries License: LGPLv2+ URL: http://libvirt.org/ Source0: ftp://libvirt.org/libvirt/glib/%{name}-%{version}.tar.gz +Source1: ftp://libvirt.org/libvirt/glib/%{name}-%{version}.tar.gz.asc +Source2: danpb-BE86EBB415104FDF.gpg BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: glib2-devel >= @GLIB2_REQUIRED@ @@ -45,6 +47,7 @@ BuildRequires: libtool %if %{with_vala} BuildRequires: vala-tools %endif +BuildRequires: gnupg2
%package devel Group: Development/Libraries @@ -109,6 +112,7 @@ libvirt and the glib event loop %endif
%prep +gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} %setup -q
%build
Hi, On Thu, Apr 14, 2016 at 10:01:27AM -0400, Cole Robinson wrote:
On 04/14/2016 05:12 AM, Christophe Fergeau wrote:
This at least allows to make sure that all tarballs are signed with the same GPG key, and that the tarball was not corrupted between the time it was uploaded upstream, and the time the RPM is built.
danpb-BE86EBB415104FDF.gpg is generated with: gpg2 -v --armor --export 15104FDF | gpg2 --no-default-keyring --keyring ./danpb-BE86EBB415104FDF.gpg --import
That file wasn't committed though, was it meant to be?
I left it out on purpose as it's better if the packager gets the key for verification using its own channel. If it's in the tarball, then it could be modified at the same time as the tarball. If someone wants to directly use the .spec file from the source tarball in order to build libvirt-glib, this is indeed going to be an issue. I don't think this is what is commonly done, is it? Christophe
On Thu, Apr 14, 2016 at 04:31:15PM +0200, Christophe Fergeau wrote:
Hi,
On Thu, Apr 14, 2016 at 10:01:27AM -0400, Cole Robinson wrote:
On 04/14/2016 05:12 AM, Christophe Fergeau wrote:
This at least allows to make sure that all tarballs are signed with the same GPG key, and that the tarball was not corrupted between the time it was uploaded upstream, and the time the RPM is built.
danpb-BE86EBB415104FDF.gpg is generated with: gpg2 -v --armor --export 15104FDF | gpg2 --no-default-keyring --keyring ./danpb-BE86EBB415104FDF.gpg --import
That file wasn't committed though, was it meant to be?
I left it out on purpose as it's better if the packager gets the key for verification using its own channel. If it's in the tarball, then it could be modified at the same time as the tarball. If someone wants to directly use the .spec file from the source tarball in order to build libvirt-glib, this is indeed going to be an issue. I don't think this is what is commonly done, is it?
Yes, it is something we need to support - ie rpmbuild -ta <tarball> should work So in retrospect we need to make this conditional, defaulting to off, and just change it to default to on in fedora / rhel formal builds Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
participants (3)
-
Christophe Fergeau -
Cole Robinson -
Daniel P. Berrange