873b2a8
@@ -16,11 +16,16 @@
Name: python-acme
Version: 0.39.0
- Release: 1%{?dist}
+ Release: 2%{?dist}
Summary: Python library for the ACME protocol
License: ASL 2.0
URL: https://pypi.python.org/pypi/acme
- Source0: https://files.pythonhosted.org/packages/source/a/%{srcname}/%{srcname}-%{version}.tar.gz
+ Source0: %pypi_source
+ Source1: %{pypi_source}.asc
+ # key mentioned in docs https://certbot.eff.org/docs/install.html#certbot-auto
+ # gpg2 --keyserver pool.sks-keyservers.net --recv-key A2CFB51FA275A7286234E7B24D17C995CD9775F2
+ # gpg2 --export --export-options export-minimal A2CFB51FA275A7286234E7B24D17C995CD9775F2 > gpg-A2CFB51FA275A7286234E7B24D17C995CD9775F2.gpg
+ Source2: gpg-A2CFB51FA275A7286234E7B24D17C995CD9775F2.gpg
# When running tests argparse is not recognised as provided by core
@@ -28,6 +33,7 @@
Patch0: epel7-setup.patch
%endif
+ BuildRequires: gnupg2
%if %{with python2}
BuildRequires: python2-devel
BuildRequires: python2-sphinx
@@ -162,6 +168,7 @@
%prep
+ %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
%autosetup -p1 -n %{srcname}-%{version}
@@ -231,6 +238,9 @@
%changelog
+ * Thu Nov 21 2019 Felix Schwarz <fschwarz@fedoraproject.org> 0.39.0-2
+ - use GPG source file verification
+
* Tue Oct 01 2019 Eli Young <elyscape@gmail.com> - 0.39.0-1
- Update to 0.39.0 (#1757606)
@@ -1,1 +1,2 @@
SHA512 (acme-0.39.0.tar.gz) = 1a59fd4a7dce6c5eb0564a1fb8f6b39b88fccaf3c4a03949b391862a9a937ccc8f81dc99b347a343c73834d006e05b515bfe1daa3f24fd6caa8c0fd8100293b4
+ SHA512 (acme-0.39.0.tar.gz.asc) = da15b67f9cb78c673b5e61da4343dbc3b361e801f082ee7a32ac5ab9b3cebed121a8c064d4eed87e7ebdc9e22b848623cba24b633c87cb3c7655d4c3023aba83
source files will be verified automatically as recommended by packaging policy: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification
ping?
If you don't feel confident enough to update to 0.40.0 this PR should be pretty simple to check: - fedprep prep (check that GPG verification shows up in stdout) - spectool -g python-acme.spec to ensure they key is actually at the given HTTPS address - inspect the key if you like - fedpkg new-sources acme-0.39.0.tar.gz.asc
fedprep prep
spectool -g python-acme.spec
fedpkg new-sources acme-0.39.0.tar.gz.asc
@fschwarz Apologies for the delay on this. I'll be taking a look shortly.
This looks good. I won't be merging it just yet, as I'm going to want to make similar changes to the numerous other certbot packages when I do. Thanks for your work on this.
btw: if you want to merge this (as opposed to redoing it yourself) better do it before adding other changes so you don't generate changelog conflicts (no need to push out a build). Anyway: Looking forward to a new certbot + EPEL8.
GPG signature validation pulled in manually.
Pull-Request has been closed by elyscape
source files will be verified automatically as recommended by packaging policy:
https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification