This at least allows to make sure that all tarballs are signed with the same GPG key, and that the tarball was not corrupted between the time it was uploaded upstream, and the time the RPM is built. danpb-BE86EBB415104FDF.gpg is generated with: gpg2 -v --armor --export 15104FDF | gpg2 --no-default-keyring --keyring ./danpb-BE86EBB415104FDF.gpg --import --- libvirt-glib.spec.in | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libvirt-glib.spec.in b/libvirt-glib.spec.in index 32ce4f0..3616a6e 100644 --- a/libvirt-glib.spec.in +++ b/libvirt-glib.spec.in @@ -28,6 +28,8 @@ Group: Development/Libraries License: LGPLv2+ URL: http://libvirt.org/ Source0: ftp://libvirt.org/libvirt/glib/%{name}-%{version}.tar.gz +Source1: ftp://libvirt.org/libvirt/glib/%{name}-%{version}.tar.gz.asc +Source2: danpb-BE86EBB415104FDF.gpg BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: glib2-devel >= @GLIB2_REQUIRED@ @@ -45,6 +47,7 @@ BuildRequires: libtool %if %{with_vala} BuildRequires: vala-tools %endif +BuildRequires: gnupg2 %package devel Group: Development/Libraries @@ -109,6 +112,7 @@ libvirt and the glib event loop %endif %prep +gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} %setup -q %build -- 2.5.5 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list