| |
@@ -121,7 +121,7 @@
|
| |
|
| |
== Source File Verification
|
| |
|
| |
- Where the upstream project publishes OpenPGP signatures of their releases,
|
| |
+ Where the upstream project publishes OpenPGP or Minisign/Signify signatures of their releases,
|
| |
Fedora packages *SHOULD* verify that signature as part of the RPM build process.
|
| |
|
| |
Although a checksum in the sources file certifies that a file retreived from the lookaside cache is the one that the packager uploaded,
|
| |
@@ -131,12 +131,13 @@
|
| |
|
| |
=== Obtaining the Correct Keys
|
| |
|
| |
- The verification method requires an OpenPGP keyring file
|
| |
+ For OpenPGP the verification method requires an OpenPGP keyring file
|
| |
with one or more public keys from the upstream project.
|
| |
The keyring shall contain all the keys that are trusted to certify the authenticity of the sources,
|
| |
- and *MUST NOT* contain any other keys.
|
| |
+ and *MUST NOT* contain any other keys. For Minisign/Signify the public key of
|
| |
+ the signer is required.
|
| |
|
| |
- Ideally the upstream project publishes such a keyring as a downloadable file.
|
| |
+ Ideally the upstream project publishes such a keyring or public key as a downloadable file.
|
| |
You shall download that file
|
| |
and do everything you reasonably can to verify that it is authentic.
|
| |
Then you shall add it unmodified to the package SCM,
|
| |
@@ -154,17 +155,18 @@
|
| |
When source file verification is done,
|
| |
it *MUST* be done first in the `%prep` section of the spec file,
|
| |
before any potentially compromised code is executed.
|
| |
- The verification *MUST* be done with the macro `+%{gpgverify}+`,
|
| |
+ For PGP the verification *MUST* be done with the macro `+%{gpgverify}+`,
|
| |
which expands into a command
|
| |
whose parameters shall be the pathnames of the keyring, the signature and the signed file.
|
| |
- `BuildRequires: gnupg2` is necessary for the verification to work.
|
| |
+ `BuildRequires: gnupg2` is necessary for the verification to work. For Minisign/Signify
|
| |
+ signatures, `BuildRequires: minisign` is required.
|
| |
|
| |
Any detached signature file
|
| |
- (e.g. foo.tar.gz.asc or foo.tar.gz.sig)
|
| |
+ (e.g. foo.tar.gz.asc, foo.tar.gz.sig, foo.tar.gz.minisig)
|
| |
must be uploaded to the package lookaside cache alongside the source code,
|
| |
while the keyring must be committed directly to the package SCM.
|
| |
|
| |
- The following format must be used:
|
| |
+ The following format must be used for PGP:
|
| |
|
| |
....
|
| |
Source0: ftp://ftp.example.com/pub/foo/%{name}-%{version}.tar.gz
|
| |
@@ -177,18 +179,31 @@
|
| |
%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
|
| |
....
|
| |
|
| |
+ For Minisign/Signify:
|
| |
+
|
| |
+ ....
|
| |
+ Source0: ftp://ftp.example.com/pub/foo/%{name}-%{version}.tar.gz
|
| |
+ Source1: ftp://ftp.example.com/pub/foo/%{name}-%{version}.tar.gz.minisig
|
| |
+ Source2: https://www.example.com/20190721.minisign.pub
|
| |
+ …
|
| |
+ BuildRequires: minisign
|
| |
+ …
|
| |
+ %prep
|
| |
+ /usr/bin/minisign -V -m %{SOURCE0} -x %{SOURCE1} -p %{SOURCE2}
|
| |
+ ....
|
| |
+
|
| |
The first source is the actual tarball,
|
| |
the second one is the signature from upstream,
|
| |
- and the third one is the keyring.
|
| |
+ and the third one is the keyring or public key.
|
| |
|
| |
=== Exceptions
|
| |
If the upstream tarball of a package needs to be modified,
|
| |
for example because it contains forbidden items,
|
| |
then the tarball cannot be verified as part of the build process.
|
| |
- In this case the upstream OpenPGP keyring must still be included in the package SCM
|
| |
+ In this case the upstream OpenPGP keyring/public key must still be included in the package SCM
|
| |
and the instructions/script used to build the stripped-down tarball needs to verify the upstream source.
|
| |
|
| |
- If the upstream project does not publish a keyring file
|
| |
+ For PGP, if the upstream project does not publish a keyring file
|
| |
(for example if they publish only a fingerprint on their website
|
| |
and refer to a keyserver network for downloading the key),
|
| |
then you may need to create a keyring after you have verified the key.
|
| |
fkooman
commented 4 years ago
As per https://lists.fedoraproject.org/archives/list/packaging@lists.fedoraproject.org/thread/WNR34OH3KVPKMGY4Z62CUPREEOVJJJNH/