This provides a macro,
%gpg_verify, which will call gpg2/gpgv2 as
appropriate to verify the signatures on source files. The files to be checked,
signatures, and keyring(s) are listed in the spec with Source: tags. The macro
can automatically determine which Source: files contain sources, signatures and
a keyring, or it can be passed the numbers or names of the Source: entries to check.
ASCII-armored signatures and keyrings can be identified reliably. Unarmored signatures and keyrings will be found automatically only if they have certain filename suffixes, as their file formats aren't easily recognized.
A separate macro file containing a redifinition of
%autosetup is also
provided which will, by default, run
%gpg_verify in automatic mode.
%gpg_verify[-k keyring] [source,signature[,keyring]] ...
|-k keyring||Specify a common keyring to verify all signatures against, except when an argument specifies its own keyring.|
keyring, source and signature are either source numbers or filenames. A pathname including directories is not allowed.
If one or more arguments were given, they are taken either as
source,signature pairs or
source,signature,keyring triples. When an
argument specifies a keyring, that signature will be verified against the keys
in that keyring. For arguments that don't specify a keyring, the common
keyring specified with the
-k option will be used, if any. If
%gpg_verify will attempt to locate a keyring among the Source:
files. The first source file that contains
BEGIN PGP PUBLIC KEY BLOCK in
the beginning or has a name ending in
.gpg will be used as the common
keyring. If none is found, the package build will be aborted. Then all
provided signatures are verified by calling gpg2 as necessary to dearmor, and
gpgv2 to verify. If any verifications fail, the package build will be aborted.
If no arguments were given (called "automatic mode"),
attempt to locate signatures in the provided Source: files. Any source file
BEGIN PGP SIGNATURE in the beginning or is named ending with
.sig will be considered a signature. For each signature found, the macro
will attempt to locate a matching source file by trimming the final file
extension from the signature filename. If no matching source was found, the
package build will be aborted. Then the paired signatures and source files are
verified using the keyring specified with
-k, if any, or else the first one
found, and the package build will be aborted if any verifications fail.
In all cases it is assumed that all the keys in all keyrings, whether automatically found or explicitly specified, are trusted to authenticate the source files. There must not be any untrusted keys included.
A sample spec is provided which will test various aspects of the macro. Note that this spec is intended to be used as a test and example of multiple different calling conventions, but in regular use the macro will almost never be used more than once. The spec contains some Lua code to manipulate internal RPM state which exists only to facilitate testing and isn't anything you'd ever have to do in your own packages.
To execute the tests, run the get-sources script to download some source files, signatures and keys needed for the tests to function.. After that, you should be able to fedpkg prep in this directory. This will run several tests and will be rather verbose, but you shoujld be able to see multiple gpg verifications in the output.
Please file issues for any problems you find.