Add gpgverify macro to RDO builds
For consistency with Fedora specs guidelines [1], this patch is adding gpgverify macro used to verify tarball integrity verifying gpg signature. The script and macro has been taken from upstream Red Hat macros [2]. [1] https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures [2] https://src.fedoraproject.org/rpms/redhat-rpm-config/blob/master/f/macros.fedora-misc Change-Id: I274bf995021489f06b97d32d2907cc96881e2ce3
This commit is contained in:
parent
fcf62b490d
commit
f85522d6d0
|
@ -0,0 +1,111 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Copyright 2018 B. Persson, Bjorn@Rombobeorn.se
|
||||
#
|
||||
# This material is provided as is, with absolutely no warranty expressed
|
||||
# or implied. Any use is at your own risk.
|
||||
#
|
||||
# Permission is hereby granted to use or copy this shellscript
|
||||
# for any purpose, provided the above notices are retained on all copies.
|
||||
# Permission to modify the code and to distribute modified code is granted,
|
||||
# provided the above notices are retained, and a notice that the code was
|
||||
# modified is included with the above copyright notice.
|
||||
|
||||
|
||||
function print_help {
|
||||
cat <<'EOF'
|
||||
Usage: gpgverify --keyring=<pathname> --signature=<pathname> --data=<pathname>
|
||||
|
||||
gpgverify is a wrapper around gpgv designed for easy and safe scripting. It
|
||||
verifies a file against a detached OpenPGP signature and a keyring. The keyring
|
||||
shall contain all the keys that are trusted to certify the authenticity of the
|
||||
file, and must not contain any untrusted keys.
|
||||
|
||||
The differences, compared to invoking gpgv directly, are that gpgverify accepts
|
||||
the keyring in either ASCII-armored or unarmored form, and that it will not
|
||||
accidentally use a default keyring in addition to the specified one.
|
||||
|
||||
Parameters:
|
||||
--keyring=<pathname> keyring with all the trusted keys and no others
|
||||
--signature=<pathname> detached signature to verify
|
||||
--data=<pathname> file to verify against the signature
|
||||
EOF
|
||||
}
|
||||
|
||||
|
||||
fatal_error() {
|
||||
message="$1" # an error message
|
||||
status=$2 # a number to use as the exit code
|
||||
echo "gpgverify: $message" >&2
|
||||
exit $status
|
||||
}
|
||||
|
||||
|
||||
require_parameter() {
|
||||
term="$1" # a term for a required parameter
|
||||
value="$2" # Complain and terminate if this value is empty.
|
||||
if test -z "${value}" ; then
|
||||
fatal_error "No ${term} was provided." 2
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
check_status() {
|
||||
action="$1" # a string that describes the action that was attempted
|
||||
status=$2 # the exit code of the command
|
||||
if test $status -ne 0 ; then
|
||||
fatal_error "$action failed." $status
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
# Parse the command line.
|
||||
keyring=
|
||||
signature=
|
||||
data=
|
||||
for parameter in "$@" ; do
|
||||
case "${parameter}" in
|
||||
(--help)
|
||||
print_help
|
||||
exit
|
||||
;;
|
||||
(--keyring=*)
|
||||
keyring="${parameter#*=}"
|
||||
;;
|
||||
(--signature=*)
|
||||
signature="${parameter#*=}"
|
||||
;;
|
||||
(--data=*)
|
||||
data="${parameter#*=}"
|
||||
;;
|
||||
(*)
|
||||
fatal_error "Unknown parameter: \"${parameter}\"" 2
|
||||
;;
|
||||
esac
|
||||
done
|
||||
require_parameter 'keyring' "${keyring}"
|
||||
require_parameter 'signature' "${signature}"
|
||||
require_parameter 'data file' "${data}"
|
||||
|
||||
# Make a temporary working directory.
|
||||
workdir="$(mktemp --directory)"
|
||||
check_status 'Making a temporary directory' $?
|
||||
workring="${workdir}/keyring.gpg"
|
||||
|
||||
# Decode any ASCII armor on the keyring. This is harmless if the keyring isn't
|
||||
# ASCII-armored.
|
||||
gpg2 --homedir="${workdir}" --yes --output="${workring}" --dearmor "${keyring}"
|
||||
check_status 'Decoding the keyring' $?
|
||||
|
||||
# Verify the signature using the decoded keyring.
|
||||
gpgv2 --homedir="${workdir}" --keyring="${workring}" "${signature}" "${data}"
|
||||
check_status 'Signature verification' $?
|
||||
|
||||
# (--homedir isn't actually necessary. --dearmor processes only the input file,
|
||||
# and if --keyring is used and contains a slash, then gpgv2 uses only that
|
||||
# keyring. Thus neither command will look for a default keyring, but --homedir
|
||||
# makes extra double sure that no default keyring will be touched in case
|
||||
# another version of GPG works differently.)
|
||||
|
||||
# Clean up. (This is not done in case of an error that may need inspection.)
|
||||
rm --recursive --force ${workdir}
|
|
@ -171,3 +171,26 @@ if rhel_version > 7 then posix.setenv("RHEL_ALLOW_PYTHON2_FOR_BUILD",1) end
|
|||
\
|
||||
print(url .. first .. '/' .. src .. '/' .. src .. '-' .. ver .. '.' .. ext)
|
||||
}
|
||||
|
||||
# Compatibility with fedora in CentOS8
|
||||
|
||||
# - gpgverify
|
||||
|
||||
# From https://src.fedoraproject.org/rpms/redhat-rpm-config/blob/master/f/macros.fedora-misc
|
||||
# gpgverify verifies signed sources. There is documentation in the script.
|
||||
%gpgverify(k:s:d:) %{lua:
|
||||
local script = rpm.expand("%{_rpmconfigdir}/redhat/gpgverify ")
|
||||
local keyring = rpm.expand("%{-k*}")
|
||||
local signature = rpm.expand("%{-s*}")
|
||||
local data = rpm.expand("%{-d*}")
|
||||
print(script)
|
||||
if keyring ~= "" then
|
||||
print(rpm.expand("--keyring='%{SOURCE" .. keyring .. "}' "))
|
||||
end
|
||||
if signature ~= "" then
|
||||
print(rpm.expand("--signature='%{SOURCE" .. signature .. "}' "))
|
||||
end
|
||||
if data ~= "" then
|
||||
print(rpm.expand("--data='%{SOURCE" .. data .. "}' "))
|
||||
end
|
||||
}
|
||||
|
|
|
@ -81,3 +81,7 @@ sed -i "s/%{2}/%{1}_tests/g" $tempest_egg_path/PKG-INFO \
|
|||
%sphinx_build /usr/bin/sphinx-build
|
||||
|
||||
%http_dashboard_dir /srv/www/openstack-dashboard
|
||||
|
||||
# For compatibility with RDO gpgverify macro
|
||||
# Not needed for Suse, source verification is done with no need of special macro
|
||||
%gpgverify %{nil}
|
||||
|
|
|
@ -1,8 +1,9 @@
|
|||
%if 0%{?rhel}
|
||||
%global rdo 1
|
||||
%global rrcdir %{_prefix}/lib/rpm/redhat
|
||||
%endif
|
||||
Name: openstack-macros
|
||||
Version: 2019.2.3
|
||||
Version: 2020.1.1
|
||||
Release: 0
|
||||
Summary: OpenStack Packaging - RPM Macros
|
||||
License: {{ license('Apache-2.0') }}
|
||||
|
@ -14,6 +15,7 @@ Source3: macros.openstack-rdo
|
|||
Source4: macros.openstack-fedora
|
||||
# the singlespec macros are a copy of https://github.com/openSUSE/python-rpm-macros
|
||||
Source5: macros.openstack-singlespec
|
||||
Source6: gpgverify
|
||||
BuildArch: noarch
|
||||
%if 0%{?rdo}
|
||||
Obsoletes: rdo-rpm-macros <= 1-3
|
||||
|
@ -38,6 +40,7 @@ install -D -m644 %{SOURCE2} %{buildroot}%{_sysconfdir}/rpm/macros.openstack-suse
|
|||
%endif
|
||||
%if 0%{?rdo}
|
||||
install -D -m644 %{SOURCE3} %{buildroot}%{_sysconfdir}/rpm/macros.openstack-rdo
|
||||
install -D -m 755 %{SOURCE6} %{buildroot}%{rrcdir}/gpgverify
|
||||
%endif
|
||||
%if 0%{?fedora} || 0%{?rhel} > 7
|
||||
install -D -m644 %{SOURCE4} %{buildroot}%{_sysconfdir}/rpm/macros.openstack-fedora
|
||||
|
@ -51,6 +54,7 @@ install -D -m644 %{SOURCE4} %{buildroot}%{_sysconfdir}/rpm/macros.openstack-fedo
|
|||
%endif
|
||||
%if 0%{?rdo}
|
||||
%{_sysconfdir}/rpm/macros.openstack-rdo
|
||||
%{rrcdir}/gpgverify
|
||||
%endif
|
||||
%if 0%{?fedora} || 0%{?rhel} > 7
|
||||
%{_sysconfdir}/rpm/macros.openstack-fedora
|
||||
|
|
Loading…
Reference in New Issue