Re: [libvirt-glib] spec: Add verification of the tarball GPG signature

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 04/14/2016 05:12 AM, Christophe Fergeau wrote:
> This at least allows to make sure that all tarballs are signed with the
> same GPG key, and that the tarball was not corrupted between the time it
> was uploaded upstream, and the time the RPM is built.
> 
> danpb-BE86EBB415104FDF.gpg is generated with:
> gpg2 -v --armor --export 15104FDF | gpg2 --no-default-keyring --keyring ./danpb-BE86EBB415104FDF.gpg --import

That file wasn't committed though, was it meant to be?

> ---
>  libvirt-glib.spec.in | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/libvirt-glib.spec.in b/libvirt-glib.spec.in
> index 32ce4f0..3616a6e 100644
> --- a/libvirt-glib.spec.in
> +++ b/libvirt-glib.spec.in
> @@ -28,6 +28,8 @@ Group: Development/Libraries
>  License: LGPLv2+
>  URL: http://libvirt.org/
>  Source0: ftp://libvirt.org/libvirt/glib/%{name}-%{version}.tar.gz
> +Source1: ftp://libvirt.org/libvirt/glib/%{name}-%{version}.tar.gz.asc
> +Source2: danpb-BE86EBB415104FDF.gpg
>  BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
>  
>  BuildRequires: glib2-devel >= @GLIB2_REQUIRED@
> @@ -45,6 +47,7 @@ BuildRequires: libtool
>  %if %{with_vala}
>  BuildRequires: vala-tools
>  %endif
> +BuildRequires: gnupg2
>  
>  %package devel
>  Group: Development/Libraries
> @@ -109,6 +112,7 @@ libvirt and the glib event loop
>  %endif
>  
>  %prep
> +gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
>  %setup -q
>  
>  %build
> 

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]