verify upstream signatures in %prep

Per the guidelines¹, verify upstream signatures. The fingerprints of the keys contained in `key.asc` were checked against the upstream page (https://dev.yorhel.nl/). ¹ https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification
2 years ago · 28967bbfe3
parent 8f788dd894
commit 28967bbfe3
3 changed files with 86 additions and 2 deletions
--- a/key.asc
+++ b/key.asc
@ -0,0 +1,76 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+mQINBE6e++YBEAD14q0B9xZukiy3C+0uq0ZN0HfgZ9eoPfBbTJ0eRvELhn5RBnMN
+4hcwTtmCdtjSCzZuNswkB5glvFt+3tGVv+EO6jIdDemI2BZv1Z8nXYas/Xx2y7WM
+YMkLBFPagaeh+JG7D7G8kxZtku/3fhbYP21kPbGUi/MNXP34jxR5aNBf/ChLGewG
+VfjXgu8frU3NPceX9WbQzLdYot0cprR5ixahgdPDLL8XaDDZFTYN0OrMaqN4iLws
+RJNYY8l6zr4BIdhjW6TaHEHtsLmgIuUQK4deGXwES6tOdA0tXzssMrpK0Pn1TNgo
+cV1qB36Tk6dlW2/g1Kdy2hJGCZVIDp0H1edwpfqn1YDRSFO1gxRpE+s25eZ5JnPX
+0ytWtfUclKGfP8ZxIu3IAU+1+iq5tvMkxYby8/bawS1254jaepb75mWQnqSIC37Q
+Wj3zqGWFinwkMSjPocwTR0uatK9qXSB4fyKjM7ITWS3DFybtZNgfX3oC7E1Qr+kU
+ZWkh8LT9c2EOCoJP+oLKrtpYsagOoix4L4CrOWQjBGZus5BQrTz8Y2lDfYIO5VNm
+ChezeuZdONuuHFHBUuF42J9JNxohiuNmiiL2PWTEIllnGbgDcGb01e3Ite7V1vJe
+fKSAa0bkW8LWC20MmG9NSvNndZ0XbszCaw81g3OKFCExKjzBcUdwoXTjfQARAQAB
+tBZZb3JoZWwgPGdpdEB5b3JoZWwubmw+iQI3BBMBCgAhBQJOnwF2AhsDBQsJCAcD
+BRUKCQgLBRYCAwEAAh4BAheAAAoJEGI5TGmMJzn6a5MP/i5bAPD48Tm/AK1kFoRU
+MwGx4t6bpTRquKx4EObxvdPhVrNgmtYWzhomoyEL/xNnzYL7lj5uu2F91cz1WQHH
+WKzjVUR+ZgE5QXVdErM9UggJmr7Inp/fRAZPEnV/YLd8gTg+r857qX1lldePc2uc
+lYgeOuTlQ1YoXF3GtFsuvYGiBrbLCU0m15ZSL+SritGD2GhvGuSAoHJwVopnxdAT
+OA4YctAVRvLwvYZgKLZAf9mdQjtaozr07XqZ1mSQxtUBhUb7uddf4HXDa+d6SoNq
+nmeb7nDV40f3YXe41xsDHltNTS7cb2K0dlbf11juOkNiSAt3ijP3UFBmUtaWy3AI
+zqVhfiwG/ixJdpnG6xH0wJNbp6UOpPTH5ie2zVQIvfcqYu16k5hr1D39TqDSvMCx
+7LLkeCuIGMdRCJ8w4MElAVGMA/9GnCRaAPiTP2KxvmXxJLX10mRtpZF+Bv2oqVCi
+NF1XfuItgeVjpqr5r6cKJ7UjLCQp3LIyivkIC2FrzHlBpnEuBmXYxHN6B0U4ylRx
+XFxtu35lQV0tcGSPckDT7VgRWKsyneCiyvG6t589tBwxs2IgGdXdaIlpNDBE/4Au
+MMdv5HPLKxbuDeSBU43eX5DON4sjriLGnfiPTGzTbYNwSZsn5abRgRrFVmnO5oX+
+qdipwK+ebgbZcZUgvNcIZZbntB1Zb3JhbiBIZWxpbmcgPGluZm9AeW9yaGVsLm5s
+PokCOgQTAQoAJAIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAUCTp8CXgIZAQAK
+CRBiOUxpjCc5+g8gEACQ5cv0QQi52Y+O2QzzBH7eTCz4aEncBByB7D9CnwGnEch5
+PLnrsd89+txhHeqCijQtbUPkn3R3pG3AyCUmK+P7ub0riE70e0kdWxttre7tP/vZ
+8Ysn20Mb6IORv2wBX8n5XXUO1yjlawLFDQKMH0Uac0poWJtWE2bhH/L8ty6QlFgz
+D7vM0lNp353nACxmE5PcCfVpqhc6tN3KmdaGhgVYep7lsknGxvBnFtMr1QLx99lt
+ttQG8tUXU3K6kZPdGxWfc+ev3Gptsw1tMBeAgU8gu2KRj+xsU0l6JBKCIjtPHYBO
+GuI1MQJ51g4TryAcTTCVtCzLtXftJga7MeDh6zqh0EzNqJ44JTg2cIGpwY0Hxort
+CnVn4b9/sMHrhq2JjcdhvacTcPfI4W/txxZlW6WfBh78iHH2v8pZgW+LHopSjwFZ
+HHy6JrWhVk8STdGdXCF7GatJSvYB7Z5XTVSeWNlPZHdE/1O/kJp7bgFWtygJuUb8
+YgqG4qVo7cx851I8XheG0IitK5N+6F+4QPhZ1EovqlEZXuzaUhZfzzO6HlISwunx
+aVUfRnxLxL3c9wg0oZWl+tm0g6pSi6I8TnivbX926B1mFeYnQkLONlgeorDiL2AO
+fAtWLe3y5OpD6tCfGh7hecQLEEGhuTSYt0r8tOk59oGGGXeppQ6OeisYMtwbm7Qh
+WW9yYW4gSGVsaW5nIDxwcm9qZWN0c0B5b3JoZWwubmw+iQI3BBMBCgAhBQJOnwFe
+AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEGI5TGmMJzn6KZwP/i+WNH/A
+MDKS9U99h398G3tXUgHUOm5nzNdWVy8o87+jw3GV8QvZcP5l+r5ltzI8c8I70Nwy
+ooJx55Cy9fQJf8RUwcZV77yeinjqK/RK3IqzwB60R7Yv6qljvZygJ2Z+fM/49OA8
+7LzhIIgRs5I/bJm/9OwrB9aNXzWv96okeReYO4mPEsEWsQo2mhPjecZEcNqs9fIj
+9zZr/Pl2IyOn6BIkhaWxGuKuqtak7641pcJEQ5DAtagJCPrvz957L5bkdzqAY/W9
+gHBajTQ0041tKHg8z05bBnlZGVRMbZ77hB7N+Do9lep4XsuEHTLNmRXE5wJ91Euw
+nFCVyk51G87mD19I6oEr0+aLNnWewMJIVyKGaNv0z+dl8gophjvKmg6U8joh2eA4
+7y2uX12282xdOYtLN3+j3fLIYr5zDTj30lirk6dtMUlUWNJsIClE6PDbGMels/DQ
+FsbBl9EBvzHYTt3bFtoxntZdqrV234ZfwQiBoojt/Sl9iI2zrcZEK4EtDNPAzeVs
+1NeDLboCP4DMOsVqfve1Ac7blpnKg0lg3N/ibUF/2arPKQ3AQDWW6enpYYzyBrNz
+54B4xsW0XPTsYt+izjFlc2CQwHMKy+9y3iwAi7Tx7OVuqbc0E/hrPttiYQ6YL/FW
+R9q753exnCmX+1yc51XBSh4RN8beOtLWbdWKuQINBE6e++YBEADRrC5VHbiY2sR7
+H664Iu0r5SloaEcb6DQpVQF/SSa37WcXVMh0C4t5Bh/7Jq3OiL919FU7xf+gz2mG
+Oh+T/HWPmEDRxAgU43JyBg8HMqVWxpAKk/zHj1uEf+rP/q/S6S48hFsDEChbOFlS
+1OxR2DTL5SDw/qx95MEDt2LNKFE8zz/ABG2W/GkRPJh02hbBd/5gpqTGmZYskhtc
+GiXxpEI7p/vCOrHYc8cmZ/sob/NbmKk/kuAFnKJx2d1Mz/vQEVlrYyAE1t8A6d7R
+4iYXK7EMV4lOUT+5CzRVDUjv1wavwpJrfcZWGm5tiAzS8P2iEZbpOXF0ox1V6dkD
+tzXSMxoUzWnyp1P1V86BM5zk173Lcm5CvN8rwA7ZnLInBpgPxv2ra9u7xAEdW7Ya
+HzcXmd2fxVvBiEwAVrjH6PpVPKfZOlpy2AsIyyR8SO9Qo1/JITmZT/wSnDf+jqAC
+XVLcK3QZESYI0yLQR9ZwLGPs2mjodDaG/ds4iMhLpqY+jmDya9+Khus4Cdntcl+f
+L9eG75gsmCpKBBSApNPOfS1+YePfqns0P/1O+G4MANNrmfR2j+Imx7d9ZEt0Nefy
+25aqiH/LojcYVrwDIq8Lhhm8ZLJcSsx1+pqu2v6xaJMoXWIK7BL08aOL7rAfSX30
+eoYzqVwihfcNrT6njj8KgkDqHHYyqwARAQABiQIfBBgBCgAJBQJOnvvmAhsMAAoJ
+EGI5TGmMJzn6/VMP/RdzRtwCUoqzxoZJubqVVGm1ziHgtRwkt92yFiXobGi7JG64
+P83LbVgfXSJmMuAGFpcaFe1yyCfL7K3jIz+3/ypmEMOZXsTv6rcqdj8VSBTRghJI
+aF2ZtNDV419itoT/GBgVBun56xqRV3ueUJIyPgVCBavgTl9hoNRkoO8jfrr3bQWi
+/crRcQqy7mNKtquEsfwPqDaJ54mxpbNj8IYx7T/VzVs0KXX8AYX7KYKLtNfyy18R
+sLqKnbr1uRogaqnLOrCjUKszJUf6T5rwM+RsmWW1Cy7P21YaCvQw5rw071tUnv8u
+BNzvR+/czlstJVKBHnbTM9uuj64JKr6Ssy3WMhf5+PDBWfuneW+1fKhQdQBBLFq7
+PVx/5MBANqCdQ6u9jHr5p8rZrUsHdrTxbgUY5IKHPc9bkyfYxssvmBWiMdrE3aW0
+ybxVaNVuxKbbf+3em4nfKH4FzQPgeka9CMlM0cLmL+wkPr3v9+EbH9rYlQbsDNSY
+iWA5eF74bWWCqxzr5gHtMfsKdTh6Spgd5mbi41BMSAHpg2JKX56V52QUXndomhlH
+VGzL88xeekIm8VXh/N7NWHuBfmtLkvmf/aeKD5XugWUJyoZeHqmh0GKc3BGXES14
+OCKt0CuEGBwv8irRF2IMycSfq06wjzFMn0gJ/ZViqdKdJw6tym3+CtQDc5fO
+=pI+G
+-----END PGP PUBLIC KEY BLOCK-----
--- a/ncdu.spec
+++ b/ncdu.spec
@ -1,14 +1,17 @@
 Name:           ncdu
 Version:        1.18
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Text-based disk usage viewer

 License:        MIT
-URL:            http://dev.yorhel.nl/ncdu/
+URL:            https://dev.yorhel.nl/ncdu/
 Source0:        https://dev.yorhel.nl/download/ncdu-%{version}.tar.gz
+Source1:        https://dev.yorhel.nl/download/ncdu-%{version}.tar.gz.asc
+Source2:        https://yorhel.nl/key.asc

 BuildRequires:  make
 BuildRequires:  gcc
+BuildRequires:  gnupg2
 BuildRequires:  ncurses-devel

 %description
@ -16,6 +19,7 @@ ncdu (NCurses Disk Usage) is a curses-based version of the well-known 'du',
 and provides a fast way to see what directories are using your disk space.

 %prep
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %setup -q

 %build
@ -32,6 +36,9 @@ make install DESTDIR=%{buildroot}
 %{_bindir}/ncdu

 %changelog
+* Fri Dec 30 2022 Todd Zullinger <tmz@pobox.com> - 1.18-3
+- verify upstream signatures in %%prep
+
 * Tue Dec 27 2022 Richard Fearn <richardfearn@gmail.com> - 1.18-2
 - Use SPDX license identifier

--- a/1
+++ b/1
@ -1 +1,2 @@
 SHA512 (ncdu-1.18.tar.gz) = 959ca90ad35055467346c196d7d6e5afc1e57d87c83855dfb92dd8e370bce10c1a1633064854abb3ed581e0ea7b6451474472acd9e4ad3ae91b90311b07cc7d7
+SHA512 (ncdu-1.18.tar.gz.asc) = 35f0f3f7f61a49cd2ea020b6207551a953c23bb47f5f6483017fc961f857ef0283932386826707137d857377d0ae5e26ed4a4da26d47042977999e95fe389d38