From 27dae3930154047eb093ea17b571a5b9e459d08b Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 30 2021 16:32:21 +0000 Subject: import redhat-rpm-config-125-1.el8 --- diff --git a/README.debrand b/README.debrand deleted file mode 100644 index 01c46d2..0000000 --- a/README.debrand +++ /dev/null @@ -1,2 +0,0 @@ -Warning: This package was configured for automatic debranding, but the changes -failed to apply. diff --git a/SOURCES/gpgverify b/SOURCES/gpgverify new file mode 100755 index 0000000..524a396 --- /dev/null +++ b/SOURCES/gpgverify @@ -0,0 +1,111 @@ +#!/bin/bash + +# Copyright 2018 B. Persson, Bjorn@Rombobeorn.se +# +# This material is provided as is, with absolutely no warranty expressed +# or implied. Any use is at your own risk. +# +# Permission is hereby granted to use or copy this shellscript +# for any purpose, provided the above notices are retained on all copies. +# Permission to modify the code and to distribute modified code is granted, +# provided the above notices are retained, and a notice that the code was +# modified is included with the above copyright notice. + + +function print_help { + cat <<'EOF' +Usage: gpgverify --keyring= --signature= --data= + +gpgverify is a wrapper around gpgv designed for easy and safe scripting. It +verifies a file against a detached OpenPGP signature and a keyring. The keyring +shall contain all the keys that are trusted to certify the authenticity of the +file, and must not contain any untrusted keys. + +The differences, compared to invoking gpgv directly, are that gpgverify accepts +the keyring in either ASCII-armored or unarmored form, and that it will not +accidentally use a default keyring in addition to the specified one. + +Parameters: + --keyring= keyring with all the trusted keys and no others + --signature= detached signature to verify + --data= file to verify against the signature +EOF +} + + +fatal_error() { + message="$1" # an error message + status=$2 # a number to use as the exit code + echo "gpgverify: $message" >&2 + exit $status +} + + +require_parameter() { + term="$1" # a term for a required parameter + value="$2" # Complain and terminate if this value is empty. + if test -z "${value}" ; then + fatal_error "No ${term} was provided." 2 + fi +} + + +check_status() { + action="$1" # a string that describes the action that was attempted + status=$2 # the exit code of the command + if test $status -ne 0 ; then + fatal_error "$action failed." $status + fi +} + + +# Parse the command line. +keyring= +signature= +data= +for parameter in "$@" ; do + case "${parameter}" in + (--help) + print_help + exit + ;; + (--keyring=*) + keyring="${parameter#*=}" + ;; + (--signature=*) + signature="${parameter#*=}" + ;; + (--data=*) + data="${parameter#*=}" + ;; + (*) + fatal_error "Unknown parameter: \"${parameter}\"" 2 + ;; + esac +done +require_parameter 'keyring' "${keyring}" +require_parameter 'signature' "${signature}" +require_parameter 'data file' "${data}" + +# Make a temporary working directory. +workdir="$(mktemp --directory)" +check_status 'Making a temporary directory' $? +workring="${workdir}/keyring.gpg" + +# Decode any ASCII armor on the keyring. This is harmless if the keyring isn't +# ASCII-armored. +gpg2 --homedir="${workdir}" --yes --output="${workring}" --dearmor "${keyring}" +check_status 'Decoding the keyring' $? + +# Verify the signature using the decoded keyring. +gpgv2 --homedir="${workdir}" --keyring="${workring}" "${signature}" "${data}" +check_status 'Signature verification' $? + +# (--homedir isn't actually necessary. --dearmor processes only the input file, +# and if --keyring is used and contains a slash, then gpgv2 uses only that +# keyring. Thus neither command will look for a default keyring, but --homedir +# makes extra double sure that no default keyring will be touched in case +# another version of GPG works differently.) + +# Clean up. (This is not done in case of an error that may need inspection.) +rm --recursive --force ${workdir} diff --git a/SOURCES/macros.fedora-misc b/SOURCES/macros.fedora-misc new file mode 100644 index 0000000..1dcbfbe --- /dev/null +++ b/SOURCES/macros.fedora-misc @@ -0,0 +1,79 @@ +# Some miscellaneous Fedora-related macros + +# List files matching inclusion globs, excluding files matching exclusion blogs +# Optional parameters: +# – -i "" inclusion globs +# – -x "" exclusion globs +# Globs are space-separated lists of shell globs. Such lists require %{quote:} +# use for safe rpm argument passing. +# Alternatively, set the following rpm variables before calling the macro: +# – “listfiles_include” inclusion globs +# — “listfiles_exclude” exclusion globs +# Arguments passed to the macro without flags will be interpreted as inclusion +# globs. +%listfiles(i:x:) %{expand: +%if %{lua: print(string.len(rpm.expand("%{?-i*}%{?listfiles_include}%*")))} + listfiles_include=$(realpath -e --relative-base=. %{?-i*} %{?listfiles_include} %* | sort -u) + %if %{lua: print(string.len(rpm.expand("%{?-x*}%{?listfiles_exclude}")))} + while IFS= read -r finc ; do + realpath -qe --relative-base=. %{?-x*} %{?listfiles_exclude} \\ + | sort -u | grep -q "${finc}" || echo "${finc}" + done <<< "${listfiles_include}" + %else + echo "${listfiles_include}" + %endif +%endif +} + +# https://github.com/rpm-software-management/rpm/issues/581 +# Write the contents of a list of rpm variables to a macro file. +# The target file must contain the corresponding anchors. +# For example %writevars -f myfile foo bar will replace: +# @@FOO@@ with the rpm evaluation of %{foo} and +# @@BAR@@ with the rpm evaluation of %{bar} +# in myfile +%writevars(f:) %{lua: +local fedora = require "fedora.common" +local macrofile = rpm.expand("%{-f*}") +local rpmvars = {} +for i = 1, rpm.expand("%#") do + table.insert(rpmvars, rpm.expand("%" .. i)) +end +fedora.writevars(macrofile,rpmvars) +} + +# gpgverify verifies signed sources. There is documentation in the script. +%gpgverify(k:s:d:) %{lua: +local script = rpm.expand("%{_rpmconfigdir}/redhat/gpgverify ") +local keyring = rpm.expand("%{-k*}") +local signature = rpm.expand("%{-s*}") +local data = rpm.expand("%{-d*}") +print(script) +if keyring ~= "" then + print(rpm.expand("--keyring='%{SOURCE" .. keyring .. "}' ")) +end +if signature ~= "" then + print(rpm.expand("--signature='%{SOURCE" .. signature .. "}' ")) +end +if data ~= "" then + print(rpm.expand("--data='%{SOURCE" .. data .. "}' ")) +end +} + +# gpgverify verifies signed sources. There is documentation in the script. +%gpgverify(k:s:d:) %{lua: +local script = rpm.expand("%{_rpmconfigdir}/redhat/gpgverify ") +local keyring = rpm.expand("%{-k*}") +local signature = rpm.expand("%{-s*}") +local data = rpm.expand("%{-d*}") +print(script) +if keyring ~= "" then + print(rpm.expand("--keyring='%{SOURCE" .. keyring .. "}' ")) +end +if signature ~= "" then + print(rpm.expand("--signature='%{SOURCE" .. signature .. "}' ")) +end +if data ~= "" then + print(rpm.expand("--data='%{SOURCE" .. data .. "}' ")) +end +} diff --git a/SOURCES/macros.kernel-srpm b/SOURCES/macros.kernel-srpm new file mode 100644 index 0000000..c7110f6 --- /dev/null +++ b/SOURCES/macros.kernel-srpm @@ -0,0 +1,3 @@ +# kernel_arches lists what arches the full kernel is built for. + +%kernel_arches x86_64 s390x ppc64le aarch64 %{arm} diff --git a/SPECS/redhat-rpm-config.spec b/SPECS/redhat-rpm-config.spec index 7f8b443..458fc6e 100644 --- a/SPECS/redhat-rpm-config.spec +++ b/SPECS/redhat-rpm-config.spec @@ -6,7 +6,7 @@ Summary: Red Hat specific rpm configuration files Name: redhat-rpm-config -Version: 123 +Version: 125 Release: 1%{?dist} # No version specified. License: GPL+ @@ -45,6 +45,8 @@ Source151: macros.kmp Source152: macros.vpath Source153: macros.forge Source154: macros.ldconfig +Source155: macros.kernel-srpm +Source156: macros.fedora-misc # Build policy scripts # this comes from https://github.com/rpm-software-management/rpm/pull/344 @@ -65,6 +67,7 @@ Source400: dist.sh Source401: rpmsort Source402: symset-table Source403: kmodtool +Source404: gpgverify # 2016-10-02 snapshots from http://git.savannah.gnu.org/gitweb/?p=config.git Source500: config.guess @@ -143,6 +146,7 @@ install -p -m 444 -t %{buildroot}%{rrcdir} redhat-hardened-* install -p -m 444 -t %{buildroot}%{rrcdir} redhat-annobin-* install -p -m 755 -t %{buildroot}%{rrcdir} config.* install -p -m 755 -t %{buildroot}%{rrcdir} dist.sh rpmsort symset-table kmodtool +install -p -m 755 -t %{buildroot}%{rrcdir} gpgverify install -p -m 755 -t %{buildroot}%{rrcdir} brp-* install -p -m 755 -t %{buildroot}%{rrcdir} find-* @@ -168,6 +172,7 @@ install -p -m 755 %{SOURCE21} %{buildroot}%{_rpmconfigdir}/kabi.sh %{rrcdir}/brp-mangle-shebangs %{rrcdir}/brp-ldconfig %{rrcdir}/dist.sh +%{rrcdir}/gpgverify %{rrcdir}/redhat-hardened-* %{rrcdir}/redhat-annobin-* %{rrcdir}/config.* @@ -181,6 +186,8 @@ install -p -m 755 %{SOURCE21} %{buildroot}%{_rpmconfigdir}/kabi.sh %{_rpmconfigdir}/macros.d/macros.forge %{_rpmconfigdir}/macros.d/macros.ldconfig %{_rpmconfigdir}/macros.d/macros.vpath +%{_rpmconfigdir}/macros.d/macros.kernel-srpm +%{_rpmconfigdir}/macros.d/macros.fedora-misc %{_rpmconfigdir}/kabi.sh %doc buildflags.md @@ -198,6 +205,13 @@ install -p -m 755 %{SOURCE21} %{buildroot}%{_rpmconfigdir}/kabi.sh %{_rpmconfigdir}/macros.d/macros.kmp %changelog +* Fri Nov 27 2020 Florian Festi - 125-1 +- Add missing macros.fedora-misc file (#1874576) + +* Mon Nov 09 2020 Florian Festi - 124-1 +- Add macros.kernel-srpm (#1874578) +- Added gpgverify (#1874576) + * Tue Jun 16 2020 Florian Festi - 123-1 - Update kmod.prov for better performance (#1794491) - Backport performance improvements for brp-mangle-shebangs (#1794779)