Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFE: check GPG signatures #117

Open
jasontibbitts opened this issue Mar 24, 2016 · 4 comments
Open

RFE: check GPG signatures #117

jasontibbitts opened this issue Mar 24, 2016 · 4 comments
Labels
type.feature

Comments

@jasontibbitts
Copy link

There's currently a discussion about how to best check GPG signatures on tarballs in packages. Some think the keys should be checked into git and verified as part of the package build process, but there's some disagreement that this is the correct place.

One other possibility is that new-hotness checks signatures somehow when a new version is detected. Obviously something (either the package or anitya) would have to grow the ability to store the data necessary for something to actually verity the signature. I guess it could all be in anitya and thus this is the wrong place to file that ticket, but maybe not. Or maybe you'll think that this isn't a good place to do that, and we'll look to the other possibilities.
@tyll
Copy link

tyll commented Apr 15, 2016

For Fedora IMHO the best approach is to store the information in dist-git as proposed here:
https://fedoraproject.org/wiki/PackagingDrafts:GPGSignatures

Then the-new-hotness can check the signature easily by running "fedpkg prep" or running the gpgv command from %setup.

@scfc
Copy link
Contributor

scfc commented Jan 15, 2018

Note that the approach proposed by https://fedoraproject.org/wiki/PackagingDrafts:GPGSignatures is incompatible with the current the-new-hotness because it requires "local" sources à la:

Source0:        http://downloads.sourceforge.net/libhx/libHX-%{version}.tar.xz
Source1:        http://downloads.sourceforge.net/libhx/libHX-%{version}.tar.asc
Source2:        gpgkey-B56B8B9D9915AA8796EDC013DFFF2CDB19FC338D.gpg

gpgkey-B56B8B9D9915AA8796EDC013DFFF2CDB19FC338D.gpg will trigger a failure:

One or more of the specfile's Sources is not a valid URL so we cannot automatically build the new version for you. Please use a URL in your Source declarations if possible.

@tyll
Copy link

tyll commented Jan 30, 2018

The error is triggered in this code:
https://github.com/fedora-infra/the-new-hotness/blob/develop/hotness/buildsys.py#L253

I would suggest that the check should be changed to verify that at least one Source-Tag contains a URL instead of requiring that all Source-Tags need to contain URLs. This is also required when we ship custom config files or a README.Fedora file. I might be able to provide a PR if this change would be ok with you.

@jeremycline
Copy link
Member

@tyll, yeah, that's definitely a better approach.

@Zlopez Zlopez added this to the 0.12.0 milestone Feb 21, 2019
@Zlopez Zlopez removed this from the 0.13.0 milestone Jan 23, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type.feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@tyll @scfc @jeremycline @Zlopez @jasontibbitts