GPG verification in SPECs
Till Maas
opensource at till.name
Fri Jul 12 16:46:31 UTC 2013
On Wed, Jul 10, 2013 at 03:01:07PM -0700, Brian C. Lane wrote:
> On Mon, Jul 08, 2013 at 11:15:05PM +0200, Till Maas wrote:
> > Hi,
> >
> > upstream of pam_mount pointed me to OpenSUSE's gpg-offline RPM macros at
> > https://build.opensuse.org/package/show/Base:System/gpg-offline
> >
> > They allow to use a keyring and detached signature as additional source
> > in SPECs to get both verified. Since gpg-offline's upstream is willing
> > to create a proper release to allow easy packaging for Fedora, I wonder
> > if I will find any obstacles when I package it. The packaging guidelines
> > allow packaging RPM macros, therefore this should be fine.
> >
> > Also I am interested whether there are better options available.
>
> In parted we have a signed upstream package and a detached signature. In
> the pkg git we have the signer's public key and in %prep it runs gpg.
>
> Source0: ftp://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz
> Source1: ftp://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz.sig
> Source2: pubkey.jim.meyering
>
> gpg --import %{SOURCE2}
> gpg --verify %{SOURCE1} %{SOURCE0}
>
> What does gpg-offline add to this?
I did not yet read it, but your code has several flaws:
- It modifies the users default GPG keyring, which might be considered
rude (if it is not run on Koji or in mock)
- It does not ensure that the signature is actually from the key that is
provided as Source2
- It either does not work if the key is not trusted or allows signatures
from untrusted keys, because the provided key is not especially marked
as trusted
I hope that gpg-offline does not have these flaws but since addressing
this needs a little mit more code, a macro seems to be the right way to
do this for me.
Regards
Till
More information about the devel
mailing list