verify upstream source signature

Per the packaging guidelines¹. While adjusting the git ignore rules for the signature file, replace many older tarball entries with a simple glob. Ignore expanded source directories as well. ¹ https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures
2 years ago · 1c3fb52316
parent bbf821b2c0
commit 1c3fb52316
4 changed files with 55 additions and 33 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,26 +1,2 @@
-fail2ban-FAIL2BAN-0_8.tar.bz2
-fail2ban-0.8.4.tar.bz2
-/fail2ban_0.8.7.1.orig.tar.gz
-/fail2ban_0.8.8.orig.tar.gz
-/fail2ban-0.8.10.tar.gz
-/fail2ban-0.8.11.tar.gz
-/fail2ban-0.9-d529151.tar.xz
-/fail2ban-0.9-1f1a561.tar.xz
-/fail2ban-0.9.tar.gz
-/fail2ban-0.9.1.tar.gz
-/fail2ban-0.9.2.tar.gz
-/fail2ban-0.9.3.tar.gz
-/fail2ban-0.9.4.tar.gz
-/fail2ban-0.9.5.tar.gz
-/fail2ban-0.9.6.tar.gz
-/fail2ban-0.9.7.tar.gz
-/fail2ban-0.10.0.tar.gz
-/fail2ban-0.10.1.tar.gz
-/fail2ban-0.10.2.tar.gz
-/fail2ban-0.10.3.1.tar.gz
-/fail2ban-0.10.4.tar.gz
-/fail2ban-0.10.5.tar.gz
-/fail2ban-0.11.1.tar.gz
-/fail2ban-0.11.2.tar.gz
-/fail2ban-1.0.1.tar.gz
-/fail2ban-1.0.2.tar.gz
+/fail2ban-*/
+/fail2ban-*.tar.gz*
--- a/fail2ban.spec
+++ b/fail2ban.spec
@ -1,16 +1,27 @@
 Name: fail2ban
 Version: 1.0.2
-Release: 3%{?dist}
+Release: 4%{?dist}
 Summary: Daemon to ban hosts that cause multiple authentication errors

 License: GPLv2+
 URL: http://fail2ban.sourceforge.net/
 Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
+Source1: https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz.asc
+# Releases are signed by Serg G. Brester (sebres) <info AT sebres.de>.  The
+# fingerprint can be found in a signature file:
+#   gpg --list-packets fail2ban-1.0.2.tar.gz.asc | grep 'issuer fpr'
+#
+# The following commands can be used to fetch the signing key via fingerprint
+# and extract it:
+#   fpr=8738559E26F671DF9E2C6D9E683BF1BEBD0A882C
+#   gpg --receive-keys $fpr
+#   gpg -a --export-options export-minimal --export $fpr >gpgkey-$fpr.asc
+Source2: gpgkey-8738559E26F671DF9E2C6D9E683BF1BEBD0A882C.asc
 # SELinux policy
-Source1: fail2ban.fc
-Source2: fail2ban.if
-Source3: fail2ban.te
-Source4: Makefile
+Source3: fail2ban.fc
+Source4: fail2ban.if
+Source5: fail2ban.te
+Source6: Makefile

 # Give up being PartOf iptables and ipset for now
 # https://bugzilla.redhat.com/show_bug.cgi?id=1379141
@ -43,6 +54,7 @@ BuildRequires: systemd
 BuildRequires: selinux-policy-devel
 BuildRequires: make
 BuildRequires: bash-completion
+BuildRequires: gnupg2

 # Default components
 Requires: %{name}-firewalld = %{version}-%{release}
@ -206,6 +218,7 @@ by default.


 %prep
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %autosetup -p1

 # Use Fedora paths
@ -216,7 +229,7 @@ find -type f -exec sed -i -e '1s,^#!/usr/bin/python *,#!/usr/bin/python%{python3
 %endif

 # SELinux sources
-cp -p %SOURCE1 %SOURCE2 %SOURCE3 .
+cp -p %SOURCE3 %SOURCE4 %SOURCE5 .

 # 2to3 has been removed from setuptools and we already use the binary in
 # %%prep.
@ -229,7 +242,7 @@ sed -i "/use_2to3/d" setup.py
 %else
 %py3_build
 %endif
-make -f %SOURCE4
+make -f %SOURCE6


 %install
@ -411,6 +424,9 @@ fi


 %changelog
+* Sun Apr 02 2023 Todd Zullinger <tmz@pobox.com> - 1.0.2-4
+- verify upstream source signature
+
 * Thu Mar 30 2023 Orion Poplawski <orion@nwra.com> - 1.0.2-3
 - Add upstream patch to remove warning about allowipv6 (bz#2160781)

--- a/gpgkey-8738559E26F671DF9E2C6D9E683BF1BEBD0A882C.asc
+++ b/gpgkey-8738559E26F671DF9E2C6D9E683BF1BEBD0A882C.asc
@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBFeHbzIBCACWgr54J4t2fpI7EIrMTqso5kqPRTSY7eO2T0965JW6Zl4C0HZT
+Wz+9c5aGlKeotf4Fv7zOhpUwULFSGAq3tVbxAxW9++LAXPGad6uE4aPsXoQ6+0RV
+lJozNclURRal46vz3uuGLiSJ5+VQ1WD1sFLuw2/bMzE4GFR0z4w4UOc3ufAQ3obC
+i5szSy5JWtCsmvCdNlhXTxa66aUddN8/8IHJSB6QZabGEcG4WfsfhUiH38KUuqrO
+hYvT9ROY74pwSsHuWEzVRE00eJB4uxngsKHAGMYhkNxdKCG7Blu2IbJRcBE8QAs3
+BGqJR8FBify86COZYUZ7CuAyLyo1U6BZd7ohABEBAAG0KVNlcmcgRy4gQnJlc3Rl
+ciAoc2VicmVzKSA8aW5mb0BzZWJyZXMuZGU+iQE4BBMBAgAiBQJXh28yAhsDBgsJ
+CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBoO/G+vQqILMThB/0YUr7Y+urJChgm
+NG9exjjmTayoNb+XiMR5T2+A919NrKulEaH2mb51B7XBmFuCj8x5O1wA3xYo7B6h
+RVuNyb2eI3+bRD33QsKcs6NsgK/I1xLD15NrEftPckWqYypR6//u9Tmz5o9n9+/n
+2dH7SU7UPW468/bRUhFp+SQ70B0XLdyDgGLEN9TNsAvnEi30Vtjbia4Lp/NXYRkq
+GEzvpgZ7Dt9YhT+qdSs6AwyN0ZhnvX+zqXi+Q18xlbnuq2ZZkwK8Es/HdEDu2HNJ
+3nn3l15pyMe/OxYhg646NcqGR6j1rEZ7jXyN2i5sEdspXfwv0lGtLr7ANElWqOvX
+XYBAspRvuQENBFeHbzIBCACyCMv4CQ+blzj53ZLPyBMnj38oQ7bbpAtDThfB8hEZ
+uk6Kmo799Zo2rLG2iqvy8SEuN/bLQKyzFTiB4UYWvRxne792N0nWLU24/bd7j/Gh
+Q4EHUhs38WRSYtu93XCKzvyzn5s3504luOBF6czNrLeDfWXGVGosBsBoASY7de7a
+kiXb7a28dNDSG0JaR+QwONjmde9hAzqOX0iOYHvJeu68UKaUp4IrJ+nTMHFhwUbf
+awCmz+NPPrm360j4BuvYSWhS06tM7c6+gfvXHOTtJ5TEGbrm+I8d2q7nhxg3nku6
+7qnddkW2OS8EQVlw7XFox929mTLzw0MEmjqmSRTx2Qk3ABEBAAGJAR8EGAECAAkF
+AleHbzICGwwACgkQaDvxvr0KiCwdxQf7BM7jo6v7uU7324ZkLQmtZndcXnXZMbSw
+2pDzR2h01Vx7dHppzNOkyv8DvUWttwaMaTU57cdzThTkQPk8Lx8sCvi40RmWS2vs
+IArgTS1HNStprPUg4sk99JOZg2y4LBqkLUxZveDsH+rXdFA/fp8048/M4ss6qj4O
+ySe4crABbbv5yRADBJZt4LQdFoNGEpSaOtcxJmwJ7hrV+wQhVMm9m+/JpgzNT4rb
+muPgveqzmSiTGJ6Yy2bEKyY0dCyPuWbWWPt4mCcT+9emZC1O8EjST0i9f9EUUU6c
+6UCy7zi5EQ9CVv1Dlz1qefm/5/iFAAFQ5DtYC3cwDq8CqgqzoHMtNg==
+=vqSW
+-----END PGP PUBLIC KEY BLOCK-----
--- a/1
+++ b/1
@ -1 +1,2 @@
 SHA512 (fail2ban-1.0.2.tar.gz) = 688a84361b5794e1658f53d2d200ce752fe1e3320ddb1742c32c4b4b82a79ace16ae464e7ea3eeb94a0e862bcac73c2d3a0e61dd7b28e179a4c857f950d74dbb
+SHA512 (fail2ban-1.0.2.tar.gz.asc) = 1c0af7e454d52879788d9728010a68159a94668d93799da5533999e8c821db87f651b3606347af16fd92a4540a7a343dc682f72bb3bab14e3666f848883d8644