diff --git a/epel-rpm-macros.spec b/epel-rpm-macros.spec index e8563fa..fd3301c 100644 --- a/epel-rpm-macros.spec +++ b/epel-rpm-macros.spec @@ -1,6 +1,6 @@ Name: epel-rpm-macros Version: 8 -Release: 3 +Release: 4 Summary: Extra Packages for Enterprise Linux RPM macros Group: System Environment/Base @@ -12,6 +12,7 @@ License: GPLv2 URL: http://download.fedoraproject.org/pub/epel Source0: macros.epel-rpm-macros Source1: macros.zzz-epel-override +Source2: gpgverify Source9: GPL BuildArch: noarch @@ -41,13 +42,20 @@ install -Dpm 644 %{SOURCE0} \ install -Dpm 644 %{SOURCE1} \ %buildroot/etc/rpm/macros.zzz-epel-override +install -Dpm 755 %{SOURCE2} \ + %{buildroot}%{_rpmconfigdir}/gpgverify + %files %license GPL /usr/lib/rpm/macros.d/macros.epel-rpm-macros /etc/rpm/macros.zzz-epel-override +%{_rpmconfigdir}/gpgverify %changelog +* Wed Oct 30 2019 Orion Poplawski - 8-4 +- Add gpgverify macro and script + * Mon Oct 21 2019 Miro HronĨok - 8-3 - Make sure EPEL8's Python 3 packages use /usr/bin/python3.6 instead of /usr/libexec/platform-python diff --git a/gpgverify b/gpgverify new file mode 100755 index 0000000..1673549 --- /dev/null +++ b/gpgverify @@ -0,0 +1,116 @@ +#!/bin/bash + +# Copyright 2018 B. Persson, Bjorn@Rombobeorn.se +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + + +function print_help { + cat <<'EOF' +Usage: gpgverify --keyring= --signature= --data= + +gpgverify is a wrapper around gpgv designed for easy and safe scripting. It +verifies a file against a detached OpenPGP signature and a keyring. The keyring +shall contain all the keys that are trusted to certify the authenticity of the +file, and must not contain any untrusted keys. + +The differences, compared to invoking gpgv directly, are that gpgverify accepts +the keyring in either ASCII-armored or unarmored form, and that it will not +accidentally use a default keyring in addition to the specified one. + +Parameters: + --keyring= keyring with all the trusted keys and no others + --signature= detached signature to verify + --data= file to verify against the signature +EOF +} + + +fatal_error() { + message="$1" # an error message + status=$2 # a number to use as the exit code + echo "gpgverify: $message" >&2 + exit $status +} + + +require_parameter() { + term="$1" # a term for a required parameter + value="$2" # Complain and terminate if this value is empty. + if test -z "${value}" ; then + fatal_error "No ${term} was provided." 2 + fi +} + + +check_status() { + action="$1" # a string that describes the action that was attempted + status=$2 # the exit code of the command + if test $status -ne 0 ; then + fatal_error "$action failed." $status + fi +} + + +# Parse the command line. +keyring= +signature= +data= +for parameter in "$@" ; do + case "${parameter}" in + (--help) + print_help + exit + ;; + (--keyring=*) + keyring="${parameter#*=}" + ;; + (--signature=*) + signature="${parameter#*=}" + ;; + (--data=*) + data="${parameter#*=}" + ;; + (*) + fatal_error "Unknown parameter: \"${parameter}\"" 2 + ;; + esac +done +require_parameter 'keyring' "${keyring}" +require_parameter 'signature' "${signature}" +require_parameter 'data file' "${data}" + +# Make a temporary working directory. +workdir="$(mktemp --directory)" +check_status 'Making a temporary directory' $? +workring="${workdir}/keyring.gpg" + +# Decode any ASCII armor on the keyring. This is harmless if the keyring isn't +# ASCII-armored. +gpg2 --homedir="${workdir}" --yes --output="${workring}" --dearmor "${keyring}" +check_status 'Decoding the keyring' $? + +# Verify the signature using the decoded keyring. +gpgv2 --homedir="${workdir}" --keyring="${workring}" "${signature}" "${data}" +check_status 'Signature verification' $? + +# (--homedir isn't actually necessary. --dearmor processes only the input file, +# and if --keyring is used and contains a slash, then gpgv2 uses only that +# keyring. Thus neither command will look for a default keyring, but --homedir +# makes extra double sure that no default keyring will be touched in case +# another version of GPG works differently.) + +# Clean up. (This is not done in case of an error that may need inspection.) +rm --recursive --force ${workdir} diff --git a/macros.epel-rpm-macros b/macros.epel-rpm-macros index 745946c..7aea262 100644 --- a/macros.epel-rpm-macros +++ b/macros.epel-rpm-macros @@ -19,3 +19,6 @@ # Use the non-underscored Python macros to refer to Python in spec, etc. %python2 %__python2 %python3 %__python3 + +# gpgverify verifies signed sources. There is documentation in the script. +%gpgverify %{_rpmconfigdir}/gpgverify