Upgrade openssl tarball
======================

Sometimes you need also update openssl source code tarball when
upgrading EDK2 source code. Normally you should see similar patch
commit in EDK2 git repo:

commit 4ca4041b0dbb310109d9cb047ed428a0082df395
Author: Sheng Wei <w.sheng@intel.com>
Date:   Tue Feb 28 10:43:57 2023 +0800

    CryptoPkg/OpensslLib: Upgrade OpenSSL to 1.1.1t

Then you will need to update openssl-%{openssl_version}.tar.gz and
openssl-%{openssl_version}.tar.gz.asc signature. You can find them
from https://www.openssl.org/source/old/1.1.1/
e.g.
https://www.openssl.org/source/old/1.1.1/openssl-1.1.1t.tar.gz 
https://www.openssl.org/source/old/1.1.1/openssl-1.1.1t.tar.gz.asc

Update the key of signature for tarball 
----------------------------------------
You will use "osc ci" command to commit new openssl tarball to OBS.
But sometimes you will see fail like this:

ovmf> osc ci -m "Upgrade OpenSSL to 1.1.1t"
- package has ovmf-rpmlintrc: (unchanged)
gpg: Signature made Tue 07 Feb 2023 09:37:18 PM CST
gpg:                using RSA key 7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C
gpg: Can't check signature: No public key
ERROR: signature ovmf/openssl-1.1.1t.tar.gz.asc does not validate

It means that osc caommand didn't find corresponding key to validate
openssl-%{openssl_version}.tar.gz.asc. It will stop to submit your change
to OBS.

In the above example, it indicates that the signature is using RSA key
7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C. You should go to openssl's
"OpenSSL Technical Committee" page to download the corresponding key
to local. In this case:

https://www.openssl.org/community/otc.html
Richard Levitte (I)             7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C

Then you just use downloaded key to overwrite openssl.keyring file.  
e.g.
ovmf> cp 7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C openssl.keyring

Then the osc verification of openssl-%{openssl_version}.tar.gz.asc will pass.
Like this:

ovmf> osc ci -m "Upgrade OpenSSL to 1.1.1t"
(W) Attention, 7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C is not mentioned in spec files as source or patch.
###ASK ovmf/7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C
- package has ovmf-rpmlintrc: (unchanged)
gpg: Signature made Tue 07 Feb 2023 09:37:18 PM CST
gpg:                using RSA key 7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C
gpg: Good signature from "Richard Levitte <richard@levitte.org>" [unknown]
gpg:                 aka "Richard Levitte <levitte@lp.se>" [unknown]
gpg:                 aka "Richard Levitte <levitte@openssl.org>" [unknown]

Please maintain the openssl.keyring file in ovmf package with new openssl
tarball and signature.