File uyuni-build-keys.spec of Package uyuni-build-keys

#
# spec file for package uyuni-build-keys
#
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via http://bugs.opensuse.org/
#


Name:           uyuni-build-keys
BuildRequires:  gpg
Requires:       awk
Requires:       gpg
Provides:       susemanager-build-keys
AutoReqProv:    off
Summary:        The public gpg keys for rpm package signature verification
License:        GPL-2.0+
Group:          System/Packages
Version:        12.0.1
Release:        0

# pub  2048R/39DB7C82 2013-01-31 SuSE Package Signing Key <build@suse.de>
# SLE12: The main package signing key.
Source2:        gpg-pubkey-39db7c82-5847eb1f.asc
# pub  2048R/50A3DD1C 2013-01-14 SuSE Package Signing Key (reserve key) <build@suse.de>
# SLE12 Fallback key if main key gets lost.
Source3:        gpg-pubkey-50a3dd1c-50f35137.asc

# pub  1024R/307E3D54 2006-03-21 SuSE Package Signing Key <build@suse.de>
# SLE11 build@suse.de key, 1024 bit
Source4:        gpg-pubkey-307e3d54-5aaa90a5.asc

# pub  1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>
# SLE10 build@suse.de key, 1024 bit
Source5:        gpg-pubkey-9c800aca-5aaa90c5.asc

# pub   1024D/0182B964 2008-11-05 Extended Support Package Signing Key (Extended Support Package Signing Key) <extended-build@novell.com>
# EPAM RES build key
Source6:        gpg-pubkey-0182b964-4911a584.asc

# pub   2048R/3DBDC284 2008-11-07 openSUSE Project Signing Key <opensuse@opensuse.org>
Source7:        gpg-pubkey-3dbdc284-53674dd4.asc

# pub   2048R/0D20833E 2018-06-18 systemsmanagement:Uyuni:Master OBS Project <systemsmanagement:Uyuni:Master@build.opensuse.org>
Source8:        gpg-pubkey-0d20833e.asc

# pub  1024D/B37B98A9 2005-05-11 SUSE PTF Signing Key <support@suse.com>
# SUSE supplied PTF (program temporary fixes) are signed by this key.
# supplied to be not imported by default
Source98:       gpg-pubkey-b37b98a9-5aaa951b.asc


BuildRoot:      %{_tmppath}/%{name}-%{version}-build
BuildArch:      noarch

%define pubring  var/lib/spacewalk/gpgdir/pubring.gpg
%define susering %{_prefix}/lib/uyuni/uyuni-build-keys.gpg

PreReq:         sh-utils gpg fileutils mktemp

%description
This package contains the gpg keys that are used to sign the
SUSE and opeSUSE rpm packages. The keys installed here are not
actually used by anything. rpm/zypper use the keys in the rpm
db instead.

%package web
Summary: The public gpg keys for bootstrap use
Group: System/Packages
Requires: %{name} = %{version}-%{release}
Provides: susemanager-build-keys-web

%description web
This package contains the gpg keys that are used to sign the
SUSE and openSUSE rpm packages. These keys are installed in
the web enviroment to be used in a bootstrap script.

%prep
%setup -qcT

%build

touch uyuni-build-keys.gpg
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE2}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE3}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE4}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE5}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE6}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE7}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE8}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE98}

%install
rm -rf $RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT/%{_prefix}/lib/uyuni/
mkdir -p $RPM_BUILD_ROOT/var/lib/spacewalk/gpgdir
install uyuni-build-keys.gpg $RPM_BUILD_ROOT/%{susering}
touch $RPM_BUILD_ROOT/%{pubring}
touch $RPM_BUILD_ROOT/%{pubring}~

mkdir -p $RPM_BUILD_ROOT/srv/www/htdocs/pub/
install %{SOURCE2}  $RPM_BUILD_ROOT/srv/www/htdocs/pub/sle12-gpg-pubkey-39db7c82.key
install %{SOURCE3}  $RPM_BUILD_ROOT/srv/www/htdocs/pub/sle12-reserve-gpg-pubkey-50a3dd1c.key
install %{SOURCE4}  $RPM_BUILD_ROOT/srv/www/htdocs/pub/sle11-gpg-pubkey-307e3d54.key
install %{SOURCE5}  $RPM_BUILD_ROOT/srv/www/htdocs/pub/sle10-gpg-pubkey-9c800aca.key
install %{SOURCE6}  $RPM_BUILD_ROOT/srv/www/htdocs/pub/res-gpg-pubkey-0182b964.key
install %{SOURCE7}  $RPM_BUILD_ROOT/srv/www/htdocs/pub/opensuse-gpg-pubkey-3dbdc284.key
install %{SOURCE8}  $RPM_BUILD_ROOT/srv/www/htdocs/pub/uyuni-gpg-pubkey-0d20833e.key
install %{SOURCE98} $RPM_BUILD_ROOT/srv/www/htdocs/pub/ptf-gpg-pubkey-b37b98a9.key


%files
%defattr(644,root,root)
%attr(755,root,root) %dir %{_prefix}/lib/uyuni
%attr(755,root,root) %dir /var/lib/spacewalk/
%attr(755,root,root) %dir /var/lib/spacewalk/gpgdir
/%{susering}
%ghost /%{pubring}
%ghost /%{pubring}~

%post
if [ ! -f %{pubring} ]; then
    touch %{pubring}
fi
echo -n "importing Uyuni build key to rpm keyring... "
TF=`mktemp /tmp/gpg.XXXXXX`
if [ -z "$TF" ]; then
  echo "uyuni-build-keys::post: cannot make temporary file. Fatal error."
  exit 20
fi
if [ -z "$HOME" ]; then
  HOME=/root
  export HOME
fi
if [ ! -d "$HOME" ]; then
  mkdir "$HOME"
fi
gpg -q --batch --no-options < /dev/null > /dev/null 2>&1 || true
# no kidding... gpg won't initialize correctly without being called twice.
gpg < /dev/null > /dev/null 2>&1 || true
gpg < /dev/null > /dev/null 2>&1 || true
gpg -q --batch --no-options --no-default-keyring --no-permission-warning \
         --keyring %{susering}    --export -a > $TF
a="$?"
gpg -q --batch --no-options --no-default-keyring --no-permission-warning \
         --keyring %{pubring}   --import < $TF
b="$?"
rm -f "$TF"
if [ "$a" = 0 -a "$b" = 0 ]; then
    echo "done."
else
    echo "importing the key from the file %{susering}"
    echo "returned an error. This should not happen. It may not be possible"
    echo "to properly verify the authenticity of rpm packages from SuSE sources."
    echo "The keyring containing the SuSE rpm package signing key can be found"
    echo "in the root directory of the first CD (DVD) of your SuSE product."
    exit -1
fi

# we need to trust them, otherwise the verify will fail
echo -n "Trusting Uyuni build keys... "
TF=`mktemp /tmp/gpg.XXXXXX`
if [ -z "$TF" ]; then
  echo "uyuni-build-keys::post: cannot make temporary file. Fatal error."
  exit 20
fi
gpg -q --batch --no-options --no-default-keyring --no-permission-warning \
    --keyring %{susering} --list-keys --with-fingerprint \
    --with-colons | grep fpr | awk -F: '{printf("%s:6:\n", $10);}' > $TF
c="$?"
gpg -q --batch --no-default-keyring --no-permission-warning \
    --homedir /var/lib/spacewalk/gpgdir/ --import-ownertrust < $TF
d="$?"
rm -f "$TF"
if [ "$c" = 0 -a "$d" = 0 ]; then
    echo "done."
else
    echo "trusting the key from the file %{susering}"
    echo "returned an error. This should not happen. It may not be possible"
    echo "to properly sync repositories using spacewalk-repo-sync."
    exit -1
fi

%files web
%defattr(644,root,root)
%dir /srv/www/htdocs/pub
/srv/www/htdocs/pub/*.key

%changelog