From a269a56bd55e19af8b45e3a131e5cd5f1785a87b Mon Sep 17 00:00:00 2001 From: Joel Capitao Date: Mar 17 2021 13:54:11 +0000 Subject: Implement sources verification using upstream gpg signature Acording to Fedora packaging guidelines [1], "Where the upstream project publishes OpenPGP signatures of their releases, Fedora packages should verify that signature as part of the RPM build process". This is the case for OpenStack packages, as tarballs are gpg signed when released [2][3]. This patch is implementing signature verification when building using release tarballs in CBS, not in DLRN based builds. However, signature verification can also be disabled manually for CBS builds by setting sources_gpg macro to 0 manually. [1] https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification [2] https://docs.opendev.org/opendev/system-config/latest/signing.html [3] https://releases.openstack.org/#cryptographic-signatures --- diff --git a/.gitignore b/.gitignore index d391e73..02358b0 100644 --- a/.gitignore +++ b/.gitignore @@ -28,3 +28,6 @@ /python-novaclient-15.1.0.tar.gz /python-novaclient-17.0.0.tar.gz /python-novaclient-17.2.1.tar.gz +/python-novaclient-17.4.0.tar.gz +/0x5d2d1e4fb8d38e6af76c50d53d4fec30cf5ce3da.txt +/python-novaclient-17.4.0.tar.gz.asc diff --git a/python-novaclient.spec b/python-novaclient.spec index 3565998..227acbc 100644 --- a/python-novaclient.spec +++ b/python-novaclient.spec @@ -1,3 +1,5 @@ +%{!?sources_gpg: %{!?dlrn:%global sources_gpg 1} } +%global sources_gpg_sign 0x5d2d1e4fb8d38e6af76c50d53d4fec30cf5ce3da %{!?upstream_version: %global upstream_version %{version}%{?milestone}} %global sname novaclient @@ -16,8 +18,19 @@ Summary: Python API and CLI for OpenStack Nova License: ASL 2.0 URL: https://launchpad.net/%{name} Source0: https://pypi.io/packages/source/p/%{name}/%{name}-%{version}.tar.gz +# Required for tarball sources verification +%if 0%{?sources_gpg} == 1 +Source101: https://tarballs.openstack.org/%{name}/%{name}-%{upstream_version}.tar.gz.asc +Source102: https://releases.openstack.org/_static/%{sources_gpg_sign}.txt +%endif + BuildArch: noarch +# Required for tarball sources verification +%if 0%{?sources_gpg} == 1 +BuildRequires: /usr/bin/gpgv2 +%endif + BuildRequires: git-core %description @@ -63,6 +76,10 @@ This package contains auto-generated documentation. %endif %prep +# Required for tarball sources verification +%if 0%{?sources_gpg} == 1 +%{gpgverify} --keyring=%{SOURCE102} --signature=%{SOURCE101} --data=%{SOURCE0} +%endif %autosetup -n %{name}-%{upstream_version} -S git # Let RPM handle the requirements diff --git a/sources b/sources index dd414e0..9deb948 100644 --- a/sources +++ b/sources @@ -1 +1,3 @@ -SHA512 (python-novaclient-17.2.1.tar.gz) = d1a9966f7da80e0884a451b3b014c45a1b4057dbdf0d8bcd23665eee55b6f15872e8e1d2b79b3cdbfc78f51800ffa3536cf0ab4e30eebf3878ffc007c52913cd +SHA512 (python-novaclient-17.4.0.tar.gz) = e5edfdf6ef4b5b7c2748e82e7c00811055705452f19d8fc33a3d7c5fa12cfd14f09de3a4abedd0f1da01e23e6d05e4e9902efc7188a12a291bd150b930ab51d1 +SHA512 (0x5d2d1e4fb8d38e6af76c50d53d4fec30cf5ce3da.txt) = de05d453914290e5a002d1202baa74d02f57f1b48a77f438b4bc0cc70d00ca4a8a022ed8c0d8c0cea54804eca564ade447cc70c30b8639464115aaf948285fdf +SHA512 (python-novaclient-17.4.0.tar.gz.asc) = 13b010da0e24f6ec2d6bfbfdbbabb98ab06e737f160eba4d50347153625c8e346b9d3ee9c1e7b2540540a597a5eb6a52147e7d5c8f2e4d9a49479221d60ec476