[rpms/python-automaton] epel10: Implement sources verification using upstream gpg signature

public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed

* [rpms/python-automaton] epel10: Implement sources verification using upstream gpg signature
@ 2026-05-31 14:45 Joel Capitao
  0 siblings, 0 replies; only message in thread
From: Joel Capitao @ 2026-05-31 14:45 UTC (permalink / raw)
  To: git-commits

            A new commit has been pushed.

            Repo   : rpms/python-automaton
            Branch : epel10
            Commit : 628236e5b5d5973b336ef80b4ba299bc835b3135
            Author : Joel Capitao <jcapitao@redhat.com>
            Date   : 2021-03-17T18:08:57+01:00
            Stats  : +25/-2 in 3 file(s)
            URL    : https://src.fedoraproject.org/rpms/python-automaton/c/628236e5b5d5973b336ef80b4ba299bc835b3135?branch=epel10

            Log:
            Implement sources verification using upstream gpg signature

Acording to Fedora packaging guidelines [1], "Where the upstream project
publishes OpenPGP signatures of their releases, Fedora packages should
verify that signature as part of the RPM build process".

This is the case for OpenStack packages, as tarballs are gpg signed when
released [2][3].

This patch is implementing signature verification when building using
release tarballs in CBS, not in DLRN based builds. However, signature
verification can also be disabled manually for CBS builds by setting
sources_gpg macro to 0 manually.

[1] https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification
[2] https://docs.opendev.org/opendev/system-config/latest/signing.html
[3] https://releases.openstack.org/#cryptographic-signatures

---
diff --git a/.gitignore b/.gitignore
index 2539a09..ac32b80 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,3 +9,6 @@
 /automaton-1.17.0.tar.gz
 /automaton-2.0.1.tar.gz
 /automaton-2.2.0.tar.gz
+/automaton-2.3.0.tar.gz
+/automaton-2.3.0.tar.gz.asc
+/0x5d2d1e4fb8d38e6af76c50d53d4fec30cf5ce3da.txt

diff --git a/python-automaton.spec b/python-automaton.spec
index b15805b..3dc5990 100644
--- a/python-automaton.spec
+++ b/python-automaton.spec
@@ -1,3 +1,5 @@
+%{!?sources_gpg: %{!?dlrn:%global sources_gpg 1} }
+%global sources_gpg_sign 0x5d2d1e4fb8d38e6af76c50d53d4fec30cf5ce3da
 %{!?upstream_version: %global upstream_version %{version}%{?milestone}}
 %global pypi_name automaton
 
@@ -11,8 +13,20 @@ Summary:        Friendly state machines for python
 License:        ASL 2.0
 URL:            https://wiki.openstack.org/wiki/Oslo#automaton
 Source0:        https://pypi.io/packages/source/a/%{pypi_name}/%{pypi_name}-%{version}.tar.gz
+# Required for tarball sources verification
+%if 0%{?sources_gpg} == 1
+Source101:        http://tarballs.openstack.org/%{pypi_name}/%{pypi_name}-%{upstream_version}.tar.gz.asc
+Source102:        https://releases.openstack.org/_static/%{sources_gpg_sign}.txt
+%endif
+
 BuildArch:      noarch
 
+# Required for tarball sources verification
+%if 0%{?sources_gpg} == 1
+BuildRequires:  /usr/bin/gpgv2
+BuildRequires:  openstack-macros
+%endif
+
 %description
 Friendly state machines for python.
 
@@ -42,13 +56,17 @@ Friendly state machines for python (documentation)
 %endif
 
 %prep
+# Required for tarball sources verification
+%if 0%{?sources_gpg} == 1
+%{gpgverify}  --keyring=%{SOURCE102} --signature=%{SOURCE101} --data=%{SOURCE0}
+%endif
 %autosetup -n %{pypi_name}-%{upstream_version} -S git
 
 %build
 %{py3_build}
 
 %if 0%{?with_doc}
-# generate html docs 
+# generate html docs
 sphinx-build-3 -b html doc/source doc/build/html
 # remove the sphinx-build-3 leftovers
 rm -rf doc/build/html/.{doctrees,buildinfo}

diff --git a/sources b/sources
index 5ed3136..4766562 100644
--- a/sources
+++ b/sources
@@ -1 +1,3 @@
-SHA512 (automaton-2.2.0.tar.gz) = 9b773ac93f17542800b93e36ca8b42ab522b2fb1c72d36256a62a37463e49e9f299fbdb9d4507b7f2a6cf678bbcd16fc86be9d20720acf0b254e1bacca4c0300
+SHA512 (automaton-2.3.0.tar.gz) = 3e832f2cbaa147b57bcef024873454dbcb4e800d3873f4f6e533b137e49fee3cfe39efdacbfd700819c8c5f09e61f14d2862efc0daa78f79ad0e6f9c75161f8e
+SHA512 (automaton-2.3.0.tar.gz.asc) = c1ea59b9131e1fe778487889bef841aa404f6b9dfed6ea94438d94db37cf6f65c43a57a2f5d5ce294c1a60d5c27419d8d134146b8404f1be1ddce41d60996ccc
+SHA512 (0x5d2d1e4fb8d38e6af76c50d53d4fec30cf5ce3da.txt) = de05d453914290e5a002d1202baa74d02f57f1b48a77f438b4bc0cc70d00ca4a8a022ed8c0d8c0cea54804eca564ade447cc70c30b8639464115aaf948285fdf

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2026-05-31 14:45 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-05-31 14:45 [rpms/python-automaton] epel10: Implement sources verification using upstream gpg signature Joel Capitao

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox