Created 6 years ago
Maintained by tibbs
Some RPM macros for simplifying GPG signature verification of upstream sources
Members 1
Björn Persson committed 6 years ago

The %gpg_verify macro

This provides a macro, %gpg_verify, which will call gpg2/gpgv2 as appropriate to verify the signatures on source files. The files to be checked, signatures, and keyring(s) are listed in the spec with Source: tags. The macro can automatically determine which Source: files contain sources, signatures and a keyring, or it can be passed the numbers or names of the Source: entries to check.

ASCII-armored signatures and keyrings can be identified reliably. Unarmored signatures and keyrings will be found automatically only if they have certain filename suffixes, as their file formats aren't easily recognized.

A separate macro file containing a redifinition of %autosetup is also provided which will, by default, run %gpg_verify in automatic mode.

How to call %gpg_verify

%gpg_verify [-k keyring] [source,signature[,keyring]] ...
-k keyring Specify a common keyring to verify all signatures against, except when an argument specifies its own keyring.

keyring, source and signature are either source numbers or filenames. A pathname including directories is not allowed.

If one or more arguments were given, they are taken either as source,signature pairs or source,signature,keyring triples. When an argument specifies a keyring, that signature will be verified against the keys in that keyring. For arguments that don't specify a keyring, the common keyring specified with the -k option will be used, if any. If -k isn't given, %gpg_verify will attempt to locate a keyring among the Source: files. The first source file that contains BEGIN PGP PUBLIC KEY BLOCK in the beginning or has a name ending in .gpg will be used as the common keyring. If none is found, the package build will be aborted. Then all provided signatures are verified by calling gpg2 as necessary to dearmor, and gpgv2 to verify. If any verifications fail, the package build will be aborted.

If no arguments were given (called "automatic mode"), %gpg_verify will attempt to locate signatures in the provided Source: files. Any source file that contains BEGIN PGP SIGNATURE in the beginning or is named ending with .sig will be considered a signature. For each signature found, the macro will attempt to locate a matching source file by trimming the final file extension from the signature filename. If no matching source was found, the package build will be aborted. Then the paired signatures and source files are verified using the keyring specified with -k, if any, or else the first one found, and the package build will be aborted if any verifications fail.

In all cases it is assumed that all the keys in all keyrings, whether automatically found or explicitly specified, are trusted to authenticate the source files. There must not be any untrusted keys included.

Testing the macro

A sample spec is provided which will test various aspects of the macro. Note that this spec is intended to be used as a test and example of multiple different calling conventions, but in regular use the macro will almost never be used more than once. The spec contains some Lua code to manipulate internal RPM state which exists only to facilitate testing and isn't anything you'd ever have to do in your own packages.

To execute the tests, run the get-sources script to download some source files, signatures and keys needed for the tests to function.. After that, you should be able to fedpkg prep in this directory. This will run several tests and will be rather verbose, but you shoujld be able to see multiple gpg verifications in the output.

Please file issues for any problems you find.