https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #105 from Simone Caronni <negativo17@xxxxxxxxx> --- (In reply to Björn Persson from comment #104) > Here's my proposal for how to check multiple signatures, ignoring missing > keys but failing if there are any bad signatures: > > Source10: key-Someone.gpg > Source11: key-Somebody.gpg > Source12: key-Other.gpg > > %global minimum_good_signatures 10 > > %prep > # Collect those sources that are keys for signature verification. > for filename in %{sources} ; do case "${filename}" in (*/key-*.gpg) cat > "${filename}" ;; esac ; done >combined_keyring.gpg > > # Verify the signatures. Write machine-readable results to signature_status. > Don't fail if a key is missing. > gpgv2 --status-fd=3 --keyring=./combined_keyring.gpg SHA256SUMS.asc > SHA256SUMS 3>signature_status || true > > # Fail if there are any signatures that don't match. > ! grep --quiet '^\[GNUPG:\] BADSIG ' signature_status > > # Fail if fewer than the minimum number of signatures are valid. > test `grep --count '^\[GNUPG:\] GOODSIG ' signature_status` -ge > %{minimum_good_signatures} Sounds reasonable. I will make sure the script downloads all available keys and puts them into the appropriate files and into the SPEC file. Maybe 10 signatures is a bit too much, in less than a week from the release there is already a bunch of keys not available. I'll make some tests. Here is a repository which will contain the latest packages being built as part of the review: https://negativo17.org/repos/bitcoin/ https://negativo17.org/repos/epel-bitcoin.repo https://negativo17.org/repos/fedora-bitcoin.repo Current state is as per my last comment above, so none of the GPG changes just mentioned in it yet. -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=1834731 _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
