[rpms/python-automaton] epel10: Implement sources verification using upstream gpg signature

public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed

From: Joel Capitao <jcapitao@redhat.com>
To: git-commits@fedoraproject.org
Subject: [rpms/python-automaton] epel10: Implement sources verification using upstream gpg signature
Date: Sun, 31 May 2026 14:45:50 GMT	[thread overview]
Message-ID: <178023875024.1.8842863594169722265.rpms-python-automaton-628236e5b5d5@fedoraproject.org> (raw)

            A new commit has been pushed.

            Repo   : rpms/python-automaton
            Branch : epel10
            Commit : 628236e5b5d5973b336ef80b4ba299bc835b3135
            Author : Joel Capitao <jcapitao@redhat.com>
            Date   : 2021-03-17T18:08:57+01:00
            Stats  : +25/-2 in 3 file(s)
            URL    : https://src.fedoraproject.org/rpms/python-automaton/c/628236e5b5d5973b336ef80b4ba299bc835b3135?branch=epel10

            Log:
            Implement sources verification using upstream gpg signature

Acording to Fedora packaging guidelines [1], "Where the upstream project
publishes OpenPGP signatures of their releases, Fedora packages should
verify that signature as part of the RPM build process".

This is the case for OpenStack packages, as tarballs are gpg signed when
released [2][3].

This patch is implementing signature verification when building using
release tarballs in CBS, not in DLRN based builds. However, signature
verification can also be disabled manually for CBS builds by setting
sources_gpg macro to 0 manually.

[1] https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification
[2] https://docs.opendev.org/opendev/system-config/latest/signing.html
[3] https://releases.openstack.org/#cryptographic-signatures

---
diff --git a/.gitignore b/.gitignore
index 2539a09..ac32b80 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,3 +9,6 @@
 /automaton-1.17.0.tar.gz
 /automaton-2.0.1.tar.gz
 /automaton-2.2.0.tar.gz
+/automaton-2.3.0.tar.gz
+/automaton-2.3.0.tar.gz.asc
+/0x5d2d1e4fb8d38e6af76c50d53d4fec30cf5ce3da.txt

diff --git a/python-automaton.spec b/python-automaton.spec
index b15805b..3dc5990 100644
--- a/python-automaton.spec
+++ b/python-automaton.spec
@@ -1,3 +1,5 @@
+%{!?sources_gpg: %{!?dlrn:%global sources_gpg 1} }
+%global sources_gpg_sign 0x5d2d1e4fb8d38e6af76c50d53d4fec30cf5ce3da
 %{!?upstream_version: %global upstream_version %{version}%{?milestone}}
 %global pypi_name automaton
 
@@ -11,8 +13,20 @@ Summary:        Friendly state machines for python
 License:        ASL 2.0
 URL:            https://wiki.openstack.org/wiki/Oslo#automaton
 Source0:        https://pypi.io/packages/source/a/%{pypi_name}/%{pypi_name}-%{version}.tar.gz
+# Required for tarball sources verification
+%if 0%{?sources_gpg} == 1
+Source101:        http://tarballs.openstack.org/%{pypi_name}/%{pypi_name}-%{upstream_version}.tar.gz.asc
+Source102:        https://releases.openstack.org/_static/%{sources_gpg_sign}.txt
+%endif
+
 BuildArch:      noarch
 
+# Required for tarball sources verification
+%if 0%{?sources_gpg} == 1
+BuildRequires:  /usr/bin/gpgv2
+BuildRequires:  openstack-macros
+%endif
+
 %description
 Friendly state machines for python.
 
@@ -42,13 +56,17 @@ Friendly state machines for python (documentation)
 %endif
 
 %prep
+# Required for tarball sources verification
+%if 0%{?sources_gpg} == 1
+%{gpgverify}  --keyring=%{SOURCE102} --signature=%{SOURCE101} --data=%{SOURCE0}
+%endif
 %autosetup -n %{pypi_name}-%{upstream_version} -S git
 
 %build
 %{py3_build}
 
 %if 0%{?with_doc}
-# generate html docs 
+# generate html docs
 sphinx-build-3 -b html doc/source doc/build/html
 # remove the sphinx-build-3 leftovers
 rm -rf doc/build/html/.{doctrees,buildinfo}

diff --git a/sources b/sources
index 5ed3136..4766562 100644
--- a/sources
+++ b/sources
@@ -1 +1,3 @@
-SHA512 (automaton-2.2.0.tar.gz) = 9b773ac93f17542800b93e36ca8b42ab522b2fb1c72d36256a62a37463e49e9f299fbdb9d4507b7f2a6cf678bbcd16fc86be9d20720acf0b254e1bacca4c0300
+SHA512 (automaton-2.3.0.tar.gz) = 3e832f2cbaa147b57bcef024873454dbcb4e800d3873f4f6e533b137e49fee3cfe39efdacbfd700819c8c5f09e61f14d2862efc0daa78f79ad0e6f9c75161f8e
+SHA512 (automaton-2.3.0.tar.gz.asc) = c1ea59b9131e1fe778487889bef841aa404f6b9dfed6ea94438d94db37cf6f65c43a57a2f5d5ce294c1a60d5c27419d8d134146b8404f1be1ddce41d60996ccc
+SHA512 (0x5d2d1e4fb8d38e6af76c50d53d4fec30cf5ce3da.txt) = de05d453914290e5a002d1202baa74d02f57f1b48a77f438b4bc0cc70d00ca4a8a022ed8c0d8c0cea54804eca564ade447cc70c30b8639464115aaf948285fdf

                 reply	other threads:[~2026-05-31 14:45 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=178023875024.1.8842863594169722265.rpms-python-automaton-628236e5b5d5@fedoraproject.org \
    --to=jcapitao@redhat.com \
    --cc=git-commits@fedoraproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox