[Bug 2359878] New: Review Request: gpgverify - signature verifier for easy and safe scripting
https://bugzilla.redhat.com/show_bug.cgi?id=2359878
Bug ID: 2359878 Summary: Review Request: gpgverify - signature verifier for easy and safe scripting Product: Fedora Version: rawhide Hardware: All OS: Linux Status: NEW Component: Package Review Severity: medium Priority: medium Assignee: nobody@fedoraproject.org Reporter: bjorn@xn--rombobjrn-67a.se QA Contact: extras-qa@fedoraproject.org CC: package-review@lists.fedoraproject.org Target Milestone: --- Classification: Fedora
Spec URL: https://www.Rombobj%C3%B6rn.se/packages/gpgverify-2.1-1/gpgverify.spec SRPM URL: https://www.Rombobj%C3%B6rn.se/packages/gpgverify-2.1-1/gpgverify-2.1-1.fc43...
Description: GPGverify is a wrapper around GnuPG's gpgv. It verifies a file against an OpenPGP signature and one or more keyrings. Rather than assuming manual use by a knowledgeable user, GPGverify is designed to be easy to use safely in a script. It avoids various unsafe ways of using gpgv that could make a script vulnerable.
Fedora Account System Username: rombobeorn
The package above is for Fedora 43 and later. In Fedora 41 and 42 I'll use this spec file: https://www.Rombobj%C3%B6rn.se/packages/gpgverify-1-1/gpgverify.spec This one is a metapackage that pulls in gnupg2. It will allow spec files to require "gpgverify" in Fedora 41 and 42 too, so the Packaging Guidelines can be updated without waiting a year.
https://bugzilla.redhat.com/show_bug.cgi?id=2359878
Fedora Review Service fedora-review-bot@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |AutomationTriaged URL| |https://src.fedoraproject.o | |rg/rpms/gpgverify
--- Comment #1 from Fedora Review Service fedora-review-bot@fedoraproject.org --- Copr build: https://copr.fedorainfracloud.org/coprs/build/8907820 (succeeded)
Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-rev...
Please take a look if any issues were found.
--- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service
If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
https://bugzilla.redhat.com/show_bug.cgi?id=2359878
Björn Persson bjorn@xn--rombobjrn-67a.se changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |ngompa13@gmail.com
--- Comment #2 from Björn Persson bjorn@xn--rombobjrn-67a.se --- Neal Gompa asked to be pinged.
https://bugzilla.redhat.com/show_bug.cgi?id=2359878
Neal Gompa ngompa13@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags| |fedora-review? Assignee|nobody@fedoraproject.org |ngompa13@gmail.com Status|NEW |ASSIGNED
--- Comment #3 from Neal Gompa ngompa13@gmail.com --- Taking this for review.
https://bugzilla.redhat.com/show_bug.cgi?id=2359878
Neal Gompa ngompa13@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |decathorpe@gmail.com
--- Comment #4 from Neal Gompa ngompa13@gmail.com --- Spec review:
License: Boehm-GC
This is missing a license file in the sources that is installed along with the package. Can you please add one?
https://bugzilla.redhat.com/show_bug.cgi?id=2359878
--- Comment #5 from Björn Persson bjorn@xn--rombobjrn-67a.se --- I thought it would be enough to have the license header in both files. If I make a separate license file, what do I write for a copyright notice in that file? SPDX requires the exact words "the above copyright notice", so the license file needs to contain some copyright notice for that phrase to refer to. Should I sort of merge the copyright notices of the script and the macro?
https://bugzilla.redhat.com/show_bug.cgi?id=2359878
--- Comment #6 from Neal Gompa ngompa13@gmail.com --- Basically a file with a copy of the notice you have in the header is sufficient.
https://bugzilla.redhat.com/show_bug.cgi?id=2359878
--- Comment #7 from Björn Persson bjorn@xn--rombobjrn-67a.se --- License file added.
https://www.Rombobj%C3%B6rn.se/packages/gpgverify-2.1-2/gpgverify.spec https://www.Rombobj%C3%B6rn.se/packages/gpgverify-2.1-2/gpgverify-2.1-2.fc43...
https://bugzilla.redhat.com/show_bug.cgi?id=2359878
--- Comment #8 from Fedora Review Service fedora-review-bot@fedoraproject.org --- Created attachment 2088748 --> https://bugzilla.redhat.com/attachment.cgi?id=2088748&action=edit The .spec file difference from Copr build 8907820 to 9006683
https://bugzilla.redhat.com/show_bug.cgi?id=2359878
--- Comment #9 from Fedora Review Service fedora-review-bot@fedoraproject.org --- Copr build: https://copr.fedorainfracloud.org/coprs/build/9006683 (succeeded)
Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-rev...
Please take a look if any issues were found.
--- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service
If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
https://bugzilla.redhat.com/show_bug.cgi?id=2359878
Neal Gompa ngompa13@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|fedora-review? |fedora-review+ Status|ASSIGNED |POST
--- Comment #10 from Neal Gompa ngompa13@gmail.com --- Review notes:
* Package follows Fedora packaging guidelines * Package licensing is correct and license data is installed * Package builds and installs * No serious issues from rpmlint
PACKAGE APPROVED.
https://bugzilla.redhat.com/show_bug.cgi?id=2359878
Fedora Admin user for bugzilla script actions fedora-admin-xmlrpc@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|POST |RELEASE_PENDING
--- Comment #11 from Fedora Admin user for bugzilla script actions fedora-admin-xmlrpc@fedoraproject.org --- The Pagure repository was created at https://src.fedoraproject.org/rpms/gpgverify
https://bugzilla.redhat.com/show_bug.cgi?id=2359878
Björn Persson bjorn@xn--rombobjrn-67a.se changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |NEXTRELEASE Status|RELEASE_PENDING |CLOSED Last Closed| |2025-05-09 09:11:23
--- Comment #12 from Björn Persson bjorn@xn--rombobjrn-67a.se --- Built, tested and submitted for Rawhide. Thanks for the review.
package-review@lists.fedoraproject.org
-
bugzilla@redhat.com