No edit summary |
(→Proposal: add exceptions) |
||
| Line 7: | Line 7: | ||
== Proposal == | == Proposal == | ||
I propose to add a new section to the guidelines, perhaps between the existing [https://fedoraproject.org/wiki/Packaging:Guidelines#Use_of_pregenerated_code Use of pregenerated code] | I propose to add a new section to the guidelines, perhaps between the existing [https://fedoraproject.org/wiki/Packaging:Guidelines#Use_of_pregenerated_code Use of pregenerated code] and [https://fedoraproject.org/wiki/Packaging:Guidelines#Spec_File_Naming Spec File Naming] sections. It should read as follows: | ||
=== Source file verification === | === Source file verification === | ||
Where PGP or equivalent signatures are published by the upstream project, Fedora packages '''MUST''' validate that signature as part of the RPM build process | Where PGP or equivalent signatures are published by the upstream project, Fedora packages '''MUST''' validate that signature as part of the RPM build process as first command in the in the <code>%prep</code> section of the spec file. Any detached signature file ''(e.g. <code>foo.tar.gz.asc</code> or <code>foo.tar.gz.sig</code>)'' must be uploaded to the package lookaside cache alongside the source code, while the PGP key itself must be committed directly to package SCM. | ||
The following format must be used: | |||
<pre> | <pre> | ||
Source0: ftp://ftp.example.com/pub/foo/%{name}-%{version}.tar.gz | Source0: ftp://ftp.example.com/pub/foo/%{name}-%{version}.tar.gz | ||
| Line 23: | Line 23: | ||
%prep | %prep | ||
gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} | gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} | ||
</pre> | |||
=== Exceptions === | |||
If the upstream tarball of a package needs to be modified, for example because it contains forbidden items, then the tarball cannot be verified as part of the build process. In this case the upstream GPG keyring must still be included in the package SCM and the instructions/script used to build the stripped down tarball needs to verify the upstream source. | |||
If upstream signed a tarball differently, for example by signing only the uncompressed tarball but distributes a compressed version, the %setup step must the adjusted accordingly, for example: | |||
<pre> | |||
Source0: http://downloads.sourceforge.net/libhx/libHX-%{version}.tar.xz | |||
Source1: http://downloads.sourceforge.net/libhx/libHX-%{version}.tar.asc | |||
Source2: gpgkey-B56B8B9D9915AA8796EDC013DFFF2CDB19FC338D.gpg | |||
# For source verification with gpgv2 | |||
BuildRequires: gnupg2 xz | |||
%prep | |||
xzcat %{SOURCE0} | gpgv --quiet --keyring %{SOURCE2} %{SOURCE1} - | |||
%setup -q | |||
</pre> | </pre> | ||
[[Category:Packaging_guidelines_drafts]] | [[Category:Packaging_guidelines_drafts]] | ||
Revision as of 10:00, 15 April 2016
Rationale
Many upstream source releases are accompanied by a PGP signature. It is possible for source tarballs to be compromised at any point in time, from the download site or within the Fedora lookaside cache.
Fedora packages should, as a matter of course, validate any available signature on the source files used for building.
Proposal
I propose to add a new section to the guidelines, perhaps between the existing Use of pregenerated code and Spec File Naming sections. It should read as follows:
Source file verification
Where PGP or equivalent signatures are published by the upstream project, Fedora packages MUST validate that signature as part of the RPM build process as first command in the in the %prep section of the spec file. Any detached signature file (e.g. foo.tar.gz.asc or foo.tar.gz.sig) must be uploaded to the package lookaside cache alongside the source code, while the PGP key itself must be committed directly to package SCM.
The following format must be used:
Source0: ftp://ftp.example.com/pub/foo/%{name}-%{version}.tar.gz
Source1: ftp://ftp.example.com/pub/foo/%{name}-%{version}.tar.gz.asc
Source2: gpgkey-0123456789ABCDEF0123456789ABCDEF.gpg
…
BuildRequires: gnupg2
…
%prep
gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
Exceptions
If the upstream tarball of a package needs to be modified, for example because it contains forbidden items, then the tarball cannot be verified as part of the build process. In this case the upstream GPG keyring must still be included in the package SCM and the instructions/script used to build the stripped down tarball needs to verify the upstream source.
If upstream signed a tarball differently, for example by signing only the uncompressed tarball but distributes a compressed version, the %setup step must the adjusted accordingly, for example:
Source0: http://downloads.sourceforge.net/libhx/libHX-%{version}.tar.xz
Source1: http://downloads.sourceforge.net/libhx/libHX-%{version}.tar.asc
Source2: gpgkey-B56B8B9D9915AA8796EDC013DFFF2CDB19FC338D.gpg
# For source verification with gpgv2
BuildRequires: gnupg2 xz
%prep
xzcat %{SOURCE0} | gpgv --quiet --keyring %{SOURCE2} %{SOURCE1} -
%setup -q