Added gpg2 signature verification

Signed-off-by: Jaroslav Škarvada <jskarvad@redhat.com>
10 months ago · 241300c9d3
parent 577cf06919
commit 241300c9d3
4 changed files with 36 additions and 3 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
 /oath-toolkit-*.tar.gz
+/oath-toolkit-*.tar.gz.sig
--- a/keyring.asc
+++ b/keyring.asc
@ -0,0 +1,23 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9fV+QlTmXxo2naObDuGtw5
+8YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9zZWZzc29uLm9yZz6IlgQT
+FggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYhBLHSvRN1vst4TPT4xNc8
+9jjFPAa+BQJl/YgIBQkLehFUAAoJENc89jjFPAa+CboA+wUa06RD5e5VTCxvSWtP
+S75Wq2qBeYGZnf0jvUMxa2n4AP4xkUeAPPnNuMsTm2fsFCDIGaEM2Yn6Vb2huzzT
+1Fw/BLg4BFySz2oSCisGAQQBl1UBBQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmd
+JyYPt3lNHMd6HAMBCAeIfgQYFggAJgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+
+BQJl/YgwBQkLehDGAAoJENc89jjFPAa+phoA/jrDqIrl/55vUMBhIQv+TP635d2i
+CTEnyFmbUcP9+gh6APoDsXalVd2cOGxQtSC+TF8PkZMn1TLkJKAjVxr+xx40Argz
+BFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAxI2hIX4HK9bQTpNVei708oNr1Klm8
+qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0+MTXPPY4xTwGvgUCZf2IKwUJC3oQ
+qgCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9RcisI/kdFogUCXJLPgQAKCRBRcisI
+/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE8GZHYNuFHmM9FEQS6AD6A4x5aYvo
+Y6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4JENc89jjFPAa+GcYA/26YQY05bLtn
+XiIjTiAzrGQrRXxTHPA8Av7TDFHvIetWAP9sHSoU8OfTwmTiEnGwLlsV7QJclZg3
+YNz/Ypcp9TqQBrgzBFySz3UWCSsGAQQB2kcPAQEHQLzCFcHHrKzVSPDDarZPYqn8
+9H5TPaxwcORgRg+4DagEiH4EGBYIACYCGyAWIQSx0r0Tdb7LeEz0+MTXPPY4xTwG
+vgUCZf2IJAUJC3oQrwAKCRDXPPY4xTwGvoxCAQCe/iMQZvHZmSQef5RnL1HOWy03
+OHtsZyhGLnQjsx7PhAEA3O2K0dNbPW2iZMcn9MXAOdmff3zkfNrWEWkZR/x5Xgw=
+=2aFT
+-----END PGP PUBLIC KEY BLOCK-----
--- a/oath-toolkit.spec
+++ b/oath-toolkit.spec
@ -1,6 +1,6 @@
 Name:          oath-toolkit
 Version:       2.6.11
-Release:       3%{?dist}
+Release:       4%{?dist}
 License:       GPLv3+
 Summary:       One-time password components
 BuildRequires: make
@ -12,7 +12,12 @@ BuildRequires: xmlsec1-devel
 BuildRequires: xmlsec1-openssl-devel
 BuildRequires: autoconf
 BuildRequires: automake
+BuildRequires: gnupg2
 Source0:       https://download.savannah.nongnu.org/releases/%{name}/%{name}-%{version}.tar.gz
+Source1:       https://download.savannah.nongnu.org/releases/%{name}/%{name}-%{version}.tar.gz.sig
+# gpg2 --recv-keys EDA21E94B565716F
+# gpg2 --armor --export D73CF638C53C06BE > keyring.asc
+Source2:       keyring.asc
 URL:           https://www.nongnu.org/oath-toolkit/
 Patch0:        oath-toolkit-2.6.9-lockfile.patch

@ -109,8 +114,8 @@ Requires: pam
 A PAM module for pluggable login authentication for OATH.

 %prep
-%setup -q
-%patch0 -p1 -b .lockfile
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
+%autosetup -p1

 %build
 autoreconf -fi
@ -182,6 +187,9 @@ mkdir -p -m 0600 %{buildroot}%{_sysconfdir}/liboath
 %{_libdir}/security/pam_oath.so

 %changelog
+* Thu Apr 11 2024 Jaroslav Škarvada <jskarvad@redhat.com> - 2.6.11-4
+- Added gpg2 signature verification
+
 * Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.11-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild

--- a/1
+++ b/1
@ -1 +1,2 @@
 SHA512 (oath-toolkit-2.6.11.tar.gz) = 42df879bebccdde3d38558ba735e09db14d0c916b9f0d3a1842e0ecc80614b7d1ee44db39d3097970a2a7108446da6eefd09bdd32dd2fb81d6aed06dc19552fd
+SHA512 (oath-toolkit-2.6.11.tar.gz.sig) = 07126e759ea6688b6964d51769d7414e2568228c6b0c271117e95db1a29b5b6faccff1b2aee8cfe34e8c27309bdbf067b522fc1cd089e864692b92302277bcf5