Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fedora Packaging Guidelines state that packages should verify OpenPGP
signatures (if available) as part of the RPM build process. This must
be done in the %prep section before any potentially compromised code
can be executed.
Add gpg verification of the source tarball. While formal release
tarballs have a corresponding detached signature file, snapshot
releases do not. As such, disable source file verification by default.
It can be enabled for formal release tarballs by specifying "--with
verify" to rpmbuild(1). Note that source file verification requires
the corresponding detached signature and gpg public key. Also note
that Source1 (the detached signature file) and Source2 (the gpg
public key file) are conditionally defined based on "%{with verify}";
without this, "rpmbuild -ts <snapshot.tar.xz>" would fail because
Source1 did not exist.
"rpmbuild -tb" looks inside the tarball for only the rpm spec file.
Source file verification requires the keyring and signature to also
reside in the directory:
$ ls
dun.gpg conman-0.3.1.tar.xz conman-0.3.1.tar.xz.asc
$ rpmbuild -tb --with verify conman-0.3.1.tar.xz
The "%{gpgverify}" rpm macro originated with Fedora, but has since
been added to RHEL via updates to the redhat-rpm-config package in
order to better unify Fedora and RHEL spec files. Consequently,
eschew providing an alternate implementation for when "%{gpgverify}"
is not defined since that macro now exists on recent versions of
AlmaLinux and CentOS.
Reference:
- https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification
- https://fedoraproject.org/wiki/PackagingDrafts:GPGSignatures
- https://rpm-software-management.github.io/rpm/manual/conditionalbuilds.html
- https://src.fedoraproject.org/rpms/redhat-rpm-config/pull-request/54
- https://bugzilla.redhat.com/show_bug.cgi?id=1874576
Tested:
- AlmaLinux 9.0 (redhat-rpm-config-194-1.el9.alma.noarch)
- AlmaLinux 8.6 (redhat-rpm-config-129-1.el8.alma.noarch)
- CentOS Stream 9 (redhat-rpm-config-196-1.el9.noarch)
- CentOS Stream 8 (redhat-rpm-config-130-1.el8.noarch)
- CentOS Linux 8.5.2111 (redhat-rpm-config-125-1.el8.noarch)
- CentOS Linux 7.9.2009 (redhat-rpm-config-9.1.0-88.el7.centos.noarch)
- Fedora 36, 35, 34
Test cases for "rpmbuild -ta --with verify conman-0.3.1.tar.xz":
1. Fail when public key file is missing
>
> gpg: can't open '/tmp/dun.gpg': No such file or directory
> gpg: dearmoring failed: No such file or directory
> gpgverify: Decoding the keyring failed.
2. Fail when detached signature file is missing
>
> gpgv: can't open '/tmp/conman-0.3.1.tar.xz.asc': No such file or directory
> gpgv: verify signatures failed: No such file or directory
> gpgverify: Signature verification failed.
3. Fail when detached signature file does not match
>
> gpgv: Signature made Thu Sep 29 14:24:18 2022 PDT
> gpgv: using RSA key A441880C3D4C7C36C5DD41E13B7ECB2B30DE0871
> gpgv: BAD signature from "Chris Dunlap <chris.m.dunlap@gmail.com>"
> gpgverify: Signature verification failed.
4. Succeed when public key file exists and signature file matches source
>
> gpgv: Signature made Thu Sep 29 14:26:09 2022 PDT
> gpgv: using RSA key A441880C3D4C7C36C5DD41E13B7ECB2B30DE0871
> gpgv: Good signature from "Chris Dunlap <chris.m.dunlap@gmail.com>"
> gpgv: aka "Chris Dunlap <cdunlap@llnl.gov>"
> gpgv: aka "Chris Dunlap <dun@imsa.edu>"- Loading branch information
