151 lines
4.8 KiB
RPMSpec
151 lines
4.8 KiB
RPMSpec
#
|
|
# spec file for package suse-build-key
|
|
#
|
|
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
|
#
|
|
|
|
|
|
Name: suse-build-key
|
|
BuildRequires: gpg
|
|
Provides: build-key
|
|
Requires: gpg
|
|
AutoReqProv: off
|
|
Summary: The public gpg key for rpm package signature verification
|
|
License: GPL-2.0+
|
|
Group: System/Packages
|
|
Version: 12.0
|
|
Release: 0
|
|
Source0: suse-build-key.gpg
|
|
Source1: dumpsigs
|
|
|
|
# pub 2048R/39DB7C82 2013-01-31 SuSE Package Signing Key <build@suse.de>
|
|
# The main package signing key.
|
|
Source2: gpg-pubkey-39db7c82-510a966b.asc
|
|
# pub 2048R/50A3DD1C 2013-01-14 SuSE Package Signing Key (reserve key) <build@suse.de>
|
|
# Fallback key if main key gets lost.
|
|
Source3: gpg-pubkey-50a3dd1c-50f35137.asc
|
|
|
|
# pub 1024R/307E3D54 2006-03-21 SuSE Package Signing Key <build@suse.de>
|
|
# SLE11 build@suse.de key, 1024 bit
|
|
Source4: gpg-pubkey-307e3d54-4be01a65.asc
|
|
|
|
# pub 1024D/B37B98A9 2005-05-11 SUSE PTF Signing Key <support@suse.com>
|
|
# SUSE supplied PTF (program temporary fixes) are signed by this key.
|
|
# supplied to be not imported by default
|
|
Source98: suse_ptf_key.asc
|
|
|
|
# pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
|
|
# security@suse.de communication key.
|
|
# Only used for E-Mail encryption and signing to/from security@suse.de.
|
|
Source99: security_at_suse_de.asc
|
|
|
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
|
BuildArch: noarch
|
|
%define keydir %{_prefix}/lib/rpm/gnupg/keys
|
|
|
|
%define pubring usr/lib/rpm/gnupg/pubring.gpg
|
|
%define susering usr/lib/rpm/gnupg/suse-build-key.gpg
|
|
|
|
PreReq: sh-utils gpg fileutils mktemp
|
|
|
|
%description
|
|
This package contains the gpg keys that are used to sign the
|
|
SUSE rpm packages. The keys installed here are not actually
|
|
used by anything. rpm/zypper use the keys in the rpm db instead.
|
|
|
|
|
|
|
|
%prep
|
|
%setup -qcT
|
|
|
|
%build
|
|
cp %SOURCE98 .
|
|
cp %SOURCE99 .
|
|
|
|
%install
|
|
rm -rf $RPM_BUILD_ROOT
|
|
mkdir -p $RPM_BUILD_ROOT/usr/lib/rpm/gnupg
|
|
install %{SOURCE0} $RPM_BUILD_ROOT/%{susering}
|
|
install -m 755 %{SOURCE1} $RPM_BUILD_ROOT/usr/lib/rpm/gnupg
|
|
mkdir keys
|
|
cd keys
|
|
$RPM_BUILD_ROOT/usr/lib/rpm/gnupg/dumpsigs $RPM_BUILD_ROOT/%{susering}
|
|
cd ..
|
|
cp -a keys $RPM_BUILD_ROOT/usr/lib/rpm/gnupg
|
|
|
|
touch $RPM_BUILD_ROOT/%{pubring}
|
|
touch $RPM_BUILD_ROOT/%{pubring}~
|
|
|
|
%files
|
|
%defattr(644,root,root)
|
|
%attr(755,root,root) %dir /usr/lib/rpm/gnupg
|
|
%attr(755,root,root) /usr/lib/rpm/gnupg/dumpsigs
|
|
/usr/lib/rpm/gnupg/keys
|
|
%config /%{susering}
|
|
%ghost /%{pubring}
|
|
%ghost /%{pubring}~
|
|
|
|
%post
|
|
if [ ! -f %{pubring} ]; then
|
|
touch %{pubring}
|
|
fi
|
|
echo -n "importing SuSE build key to rpm keyring... "
|
|
TF=`mktemp /tmp/gpg.XXXXXX`
|
|
if [ -z "$TF" ]; then
|
|
echo "suse-build-key::post: cannot make temporary file. Fatal error."
|
|
exit 20
|
|
fi
|
|
if [ -z "$HOME" ]; then
|
|
HOME=/root
|
|
export HOME
|
|
fi
|
|
if [ ! -d "$HOME" ]; then
|
|
mkdir "$HOME"
|
|
fi
|
|
gpg -q --batch --no-options < /dev/null > /dev/null 2>&1 || true
|
|
# no kidding... gpg won't initialize correctly without being called twice.
|
|
gpg < /dev/null > /dev/null 2>&1 || true
|
|
gpg < /dev/null > /dev/null 2>&1 || true
|
|
gpg -q --batch --no-options --no-default-keyring --no-permission-warning \
|
|
--keyring %{susering} --export -a > $TF
|
|
a="$?"
|
|
gpg -q --batch --no-options --no-default-keyring --no-permission-warning \
|
|
--keyring %{pubring} --import < $TF
|
|
b="$?"
|
|
rm -f "$TF"
|
|
if [ "$a" = 0 -a "$b" = 0 ]; then
|
|
echo "done."
|
|
else
|
|
echo "importing the key from the file %{susering}"
|
|
echo "returned an error. This should not happen. It may not be possible"
|
|
echo "to properly verify the authenticity of rpm packages from SuSE sources."
|
|
echo "The keyring containing the SuSE rpm package signing key can be found"
|
|
echo "in the root directory of the first CD (DVD) of your SuSE product."
|
|
exit -1
|
|
fi
|
|
### import suse package build key to roots gpg keyring
|
|
if test -f root/.gnupg/pubring.gpg ; then
|
|
chroot . usr/bin/gpg --export --armor --no-default-keyring \
|
|
--keyring %{susering} build@suse.de \
|
|
| chroot . usr/bin/gpg --import || true
|
|
if ! chroot . usr/bin/gpg --list-keys build@suse.de >/dev/null 2>&1 ; then
|
|
echo "gpg import for build@suse.de failed, please import manually" >&2
|
|
fi
|
|
else
|
|
cp %{susering} root/.gnupg/pubring.gpg
|
|
fi
|
|
chmod 600 root/.gnupg/pubring.gpg
|
|
|
|
%changelog
|