rpms / python-acme

Clone
Source Code
GIT

#3 use GPG source file verification
Closed 4 years ago by elyscape. Opened 4 years ago by fschwarz.
Unknown source master  into  master

file added
empty or binary file added
file modified
+12 -2 
@@ -16,11 +16,16 @@
 

  

  Name:           python-acme
 

  Version:        0.39.0
 

- Release:        1%{?dist}
 

+ Release:        2%{?dist}
 

  Summary:        Python library for the ACME protocol
 

  License:        ASL 2.0
 

  URL:            https://pypi.python.org/pypi/acme
 

- Source0:        https://files.pythonhosted.org/packages/source/a/%{srcname}/%{srcname}-%{version}.tar.gz
 

+ Source0:        %pypi_source
 

+ Source1:        %{pypi_source}.asc
 

+ # key mentioned in docs https://certbot.eff.org/docs/install.html#certbot-auto
 

+ # gpg2 --keyserver pool.sks-keyservers.net --recv-key A2CFB51FA275A7286234E7B24D17C995CD9775F2
 

+ # gpg2 --export --export-options export-minimal A2CFB51FA275A7286234E7B24D17C995CD9775F2 > gpg-A2CFB51FA275A7286234E7B24D17C995CD9775F2.gpg
 

+ Source2:        gpg-A2CFB51FA275A7286234E7B24D17C995CD9775F2.gpg
 

  

  # When running tests argparse is not recognised as provided by core
 

  
@@ -28,6 +33,7 @@
 

  Patch0:         epel7-setup.patch
 

  %endif
 

  

+ BuildRequires:  gnupg2
 

  %if %{with python2}
 

  BuildRequires:  python2-devel
 

  BuildRequires:  python2-sphinx
 
@@ -162,6 +168,7 @@
 

  %endif
 

  

  %prep
 

+ %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 

  %autosetup -p1 -n %{srcname}-%{version}
 

  

  
@@ -231,6 +238,9 @@
 

  %endif
 

  

  %changelog
 

+ * Thu Nov 21 2019 Felix Schwarz <fschwarz@fedoraproject.org> 0.39.0-2
 

+ - use GPG source file verification
 

+ 

  * Tue Oct 01 2019 Eli Young <elyscape@gmail.com> - 0.39.0-1
 

  - Update to 0.39.0 (#1757606)

file modified
+1 
@@ -1,1 +1,2 @@
 

  SHA512 (acme-0.39.0.tar.gz) = 1a59fd4a7dce6c5eb0564a1fb8f6b39b88fccaf3c4a03949b391862a9a937ccc8f81dc99b347a343c73834d006e05b515bfe1daa3f24fd6caa8c0fd8100293b4
 

+ SHA512 (acme-0.39.0.tar.gz.asc) = da15b67f9cb78c673b5e61da4343dbc3b361e801f082ee7a32ac5ab9b3cebed121a8c064d4eed87e7ebdc9e22b848623cba24b633c87cb3c7655d4c3023aba83

source files will be verified automatically as recommended by packaging policy:
https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification

ping?

If you don't feel confident enough to update to 0.40.0 this PR should be pretty simple to check:
- fedprep prep (check that GPG verification shows up in stdout)
- spectool -g python-acme.spec to ensure they key is actually at the given HTTPS address
- inspect the key if you like
- fedpkg new-sources acme-0.39.0.tar.gz.asc

@fschwarz Apologies for the delay on this. I'll be taking a look shortly.

This looks good. I won't be merging it just yet, as I'm going to want to make similar changes to the numerous other certbot packages when I do. Thanks for your work on this.

btw: if you want to merge this (as opposed to redoing it yourself) better do it before adding other changes so you don't generate changelog conflicts (no need to push out a build). Anyway: Looking forward to a new certbot + EPEL8.

GPG signature validation pulled in manually.

Pull-Request has been closed by elyscape
4 years ago
Metadata
None
No Tags
Changes Summary 3
+0
file added
gpg-A2CFB51FA275A7286234E7B24D17C995CD9775F2.gpg
+12 -2
file changed
python-acme.spec
+1 -0
file changed
sources
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.