From cb4378cf142fa1f560d8b0a9ea72d637e0ebcb07 Mon Sep 17 00:00:00 2001 From: Daniel P. Berrangé Date: Jan 09 2024 17:49:01 +0000 Subject: Add gpg verification of sources Signed-off-by: Daniel P. Berrangé --- diff --git a/.gitignore b/.gitignore index 1563109..9faf207 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ /x86_64/ /*.src.rpm /qemu-*.tar.xz +/qemu-*.tar.xz.sig diff --git a/gpgkey-CEACC9E15534EBABB82D3FA03353C9CEF108B584.gpg b/gpgkey-CEACC9E15534EBABB82D3FA03353C9CEF108B584.gpg new file mode 100644 index 0000000..a2590c0 Binary files /dev/null and b/gpgkey-CEACC9E15534EBABB82D3FA03353C9CEF108B584.gpg differ diff --git a/qemu.spec b/qemu.spec index b93dac5..f5b1f4f 100644 --- a/qemu.spec +++ b/qemu.spec @@ -367,7 +367,11 @@ Epoch: 2 License: Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND FSFAP AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-2.0-or-later WITH GCC-exception-2.0 AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND MIT AND LicenseRef-Fedora-Public-Domain AND CC-BY-3.0 URL: http://www.qemu.org/ -Source0: https://download.qemu.org/%{name}-%{version}%{?rcstr}.tar.xz +%global dlurl https://download.qemu.org + +Source0: %{dlurl}/%{name}-%{version}%{?rcstr}.tar.xz +Source1: %{dlurl}/https://download.qemu.org/%{name}-%{version}%{?rcstr}.tar.xz.sig +Source2: gpgkey-CEACC9E15534EBABB82D3FA03353C9CEF108B584.gpg # https://patchwork.kernel.org/project/qemu-devel/patch/20231128143647.847668-1-crobinso@redhat.com/ # Fix pvh.img ld build failure on fedora rawhide @@ -388,6 +392,7 @@ Source30: kvm-s390x.conf Source31: kvm-x86.conf Source36: README.tests +BuildRequires: gnupg2 BuildRequires: meson >= %{meson_version} BuildRequires: bison BuildRequires: flex @@ -1497,6 +1502,8 @@ This package provides the QEMU system emulator for Xtensa boards. %prep +gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} + %autosetup -n qemu-%{version}%{?rcstr} -S git_am %global qemu_kvm_build qemu_kvm_build @@ -3128,6 +3135,7 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %changelog * Tue Jan 9 2024 Daniel P. Berrangé - 8.2.0-1 - Update to 8.2.0 release +- Add gpg verification of source tarball * Sat Dec 9 2023 Richard W.M. Jones - 2:8.2.0-0.3.rc2 - Further fix for Xen 4.18 diff --git a/sources b/sources index a38f0b3..ce81ee2 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ SHA512 (qemu-8.2.0.tar.xz) = 92ec41196ff145cdbb98948f6b6e43214fa4b4419554a8a1927fb4527080c8212ccb703e184baf8ee0bdfa50ad7a84689e8f5a69eba1bd7bbbdfd69e3b91256c +SHA512 (qemu-8.2.0.tar.xz.sig) = 05412219ab0ff145f56708f99bc60b378b2b9ef6fbf3c48bffd32a2952188b2ee34a798949b09d6d8fc9f2483094fa0e3b488f52f69508604747ad4e2960f302