https://bugzilla.redhat.com/show_bug.cgi?id=1834731 Björn Persson <bjorn@xxxxxxxxxxxxxxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bjorn@xxxxxxxxxxxxxxxxxxxx --- Comment #22 from Björn Persson <bjorn@xxxxxxxxxxxxxxxxxxxx> --- Cryptocurrency wallets are very juicy targets for criminals, so it's paramount that you do everything you can to prevent and detect attempts to inject malware into the package. First, never use insecure HTTP if HTTPS is available. Second, verify upstream's signature before unpacking the tarball. Unfortunately they sign it in an indirect way that our handy verifier script doesn't expect. That makes the verification code a bit tricky, so I have written it for you. These are the changes you need to make: --- bitcoin.spec.old 2020-06-30 12:57:18.000000000 +0200 +++ bitcoin.spec 2020-07-06 15:48:51.656323998 +0200 @@ -7,9 +7,9 @@ Release: 2%{?dist} Summary: Peer to Peer Cryptographic Currency License: MIT -URL: http://bitcoin.org/ +URL: https://bitcoin.org/ -Source0: http://github.com/%{name}/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz +Source0: https://github.com/%{name}/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz Source1: %{name}-tmpfiles.conf Source2: %{name}.sysconfig Source3: %{name}.service @@ -20,12 +20,16 @@ Source8: README.server.redhat Source9: README.utils.redhat Source10: README.gui.redhat +Source11: https://bitcoin.org/bin/bitcoin-core-%{version}/SHA256SUMS.asc +Source12: https://bitcoin.org/laanwj-releases.asc BuildRequires: autoconf BuildRequires: automake BuildRequires: boost-devel BuildRequires: checkpolicy BuildRequires: desktop-file-utils +BuildRequires: gnupg2 +BuildRequires: grep BuildRequires: java BuildRequires: libdb4-cxx-devel BuildRequires: libevent-devel @@ -76,7 +80,7 @@ may be used by third party software to provide consensus verification functionality. -Unless you know need this package, you probably do not. +Unless you know you need this package, you probably do not. %package devel Summary: Peer-to-peer digital currency @@ -126,6 +130,15 @@ need this package. %prep +gpgworkdir="$(mktemp --directory)" +# Decode the ASCII armor on the keyring. +gpg2 --homedir="${gpgworkdir}" --yes --output="${gpgworkdir}/keyring.gpg" --dearmor '%{SOURCE12}' +# Verify the signature on the checksums file using the decoded keyring. +gpgv2 --homedir="${gpgworkdir}" --keyring="${gpgworkdir}/keyring.gpg" '%{SOURCE11}' +# Verify the tarball using the checksums file minus the signature. +( cd '%{_sourcedir}' && grep bitcoin '%{SOURCE11}' | sha256sum --check --ignore-missing - ) +rm --recursive --force ${gpgworkdir} + %autosetup -a 4 -p1 mv packaging-*/debian/* contrib/debian/ -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx
