File suse-build-key.spec of Package suse-build-key.16531

#
# spec file for package suse-build-key
#
# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via https://bugs.opensuse.org/
#


Name:           suse-build-key
BuildRequires:  gpg
Provides:       build-key
Requires:       gpg
AutoReqProv:    off
Summary:        The public gpg key for rpm package signature verification
License:        GPL-2.0-or-later
Group:          System/Packages
Version:        12.0
Release:        0
Source1:        dumpsigs

# pub  2048R/39DB7C82 2013-01-31 [expires: 2024-09-20] SuSE Package Signing Key <build@suse.de>
# The main package signing key.
Source2:        gpg-pubkey-39db7c82-5f68629b.asc

# pub  2048R/50A3DD1C 2013-01-14 SuSE Package Signing Key (reserve key) <build@suse.de>
# Fallback key if main key gets lost.
Source3:        gpg-pubkey-50a3dd1c-50f35137.asc

# pub  1024R/307E3D54 2006-03-21 SuSE Package Signing Key <build@suse.de>
# SLE11 build@suse.de key, 1024 bit
Source4:        build-at-suse-sle11.asc

#pub   rsa2048/0x8EFE1BC4D4ADE9C3 2017-12-11 [SC] [expires: 2027-12-09]
#      Key fingerprint = 0EE9 CA43 0050 9E29 17A0  54ED 8EFE 1BC4 D4AD E9C3
#uid                             SUSE Linux Container Signing Key <build-container@suse.de>
# used for containers provided by SUSE
Source5:        build-container-d4ade9c3-5a2e9669.asc

# pub  1024D/B37B98A9 2005-05-11 SUSE PTF Signing Key <support@suse.com>
# SUSE supplied PTF (program temporary fixes) are signed by this key.
# supplied to be not imported by default
Source98:       suse_ptf_key.asc

#pub   rsa4096/0x21FE92322BA9E067 2018-03-15 [SC] [expires: 2020-03-14]
#      Key fingerprint = EC7C 5EAB 2C34 09A6 4F3B  BE6E 21FE 9232 2BA9 E067
#uid                             SUSE Security Team <security@suse.com>
#uid                             SUSE Security Team <security@suse.de>
#sub   rsa4096/0xFF97314EC1E11A0E 2018-03-15 [E] [expires: 2020-03-14]
# old key
# Only used for email communication
Source99:       security_at_suse_de_old.asc
#pub   rsa4096/0xB205E69BAB2FD922 2020-03-10 [SC] [expires: 2022-03-10]
#      Key fingerprint = 2BAB 445F B9B4 F0D3 30E4  7CB0 B205 E69B AB2F D922
#uid                   [  full  ] SUSE Security Team <security@suse.com>
#uid                   [  full  ] SUSE Security Team <security@suse.de>
#sub   rsa4096/0xA679ED66FD417627 2020-03-10 [E] [expires: 2022-03-10]
#      Key fingerprint = DB30 DF8E 6E44 CFF8 25E8  C858 A679 ED66 FD41 7627
# Only used for email communication
Source100:      security_at_suse_de.asc

BuildRoot:      %{_tmppath}/%{name}-%{version}-build
BuildArch:      noarch
%define keydir  %{_prefix}/lib/rpm/gnupg/keys
%define containerkeydir  %{_prefix}/share/container-keys/

%define pubring  usr/lib/rpm/gnupg/pubring.gpg
%define susering usr/lib/rpm/gnupg/suse-build-key.gpg

PreReq:         sh-utils gpg fileutils mktemp

%description
This package contains the gpg keys that are used to sign the
SUSE rpm packages. The keys installed here are not actually
used by anything. rpm/zypper use the keys in the rpm db instead.



%prep
%setup -qcT

%build
cp %SOURCE4 .
cp %SOURCE98 .
cp %SOURCE99 .
cp %SOURCE100 .

touch suse-build-key.gpg
gpg --no-default-keyring --keyring ./suse-build-key.gpg --import %{SOURCE2}
gpg --no-default-keyring --keyring ./suse-build-key.gpg --import %{SOURCE3}

%install
rm -rf $RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT/usr/lib/rpm/gnupg
install suse-build-key.gpg $RPM_BUILD_ROOT/%{susering}
install -m 755 %{SOURCE1} $RPM_BUILD_ROOT/usr/lib/rpm/gnupg
mkdir keys
cd keys
$RPM_BUILD_ROOT/usr/lib/rpm/gnupg/dumpsigs $RPM_BUILD_ROOT/%{susering}
cd ..

# also copy the ptf key into the /usr/lib/rpm/gnupg/keys directory, it will however not be default imported.
cp %SOURCE98 keys/

cp -a keys $RPM_BUILD_ROOT/usr/lib/rpm/gnupg

touch $RPM_BUILD_ROOT/%{pubring}
touch $RPM_BUILD_ROOT/%{pubring}~

install -d -m 755 $RPM_BUILD_ROOT%{containerkeydir}/
install -c -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{containerkeydir}/suse-container-key.asc

%files
%defattr(644,root,root)
%doc suse_ptf_key.asc security_at_suse_de.asc security_at_suse_de_old.asc build-at-suse-sle11.asc
%attr(755,root,root) %dir /usr/lib/rpm/gnupg
%attr(755,root,root) /usr/lib/rpm/gnupg/dumpsigs
%attr(755,root,root) %dir %{containerkeydir}
/usr/lib/rpm/gnupg/keys
%config /%{susering}
%ghost /%{pubring}
%ghost /%{pubring}~
%{containerkeydir}/suse-container-key.asc

%post
if [ ! -f %{pubring} ]; then
    touch %{pubring}
fi
echo -n "importing SuSE build key to rpm keyring... "
TF=`mktemp /tmp/gpg.XXXXXX`
if [ -z "$TF" ]; then
  echo "suse-build-key::post: cannot make temporary file. Fatal error."
  exit 20
fi
if [ -z "$HOME" ]; then
  HOME=/root
  export HOME
fi
if [ ! -d "$HOME" ]; then
  mkdir "$HOME"
fi
gpg -q --batch --no-options < /dev/null > /dev/null 2>&1 || true
# no kidding... gpg won't initialize correctly without being called twice.
gpg < /dev/null > /dev/null 2>&1 || true
gpg < /dev/null > /dev/null 2>&1 || true
gpg -q --batch --no-options --no-default-keyring --no-permission-warning \
         --keyring %{susering}    --export -a > $TF 
a="$?"
gpg -q --batch --no-options --no-default-keyring --no-permission-warning \
         --keyring %{pubring}   --import < $TF
b="$?"
rm -f "$TF"
if [ "$a" = 0 -a "$b" = 0 ]; then
    echo "done."
else
    echo "importing the key from the file %{susering}"
    echo "returned an error. This should not happen. It may not be possible"
    echo "to properly verify the authenticity of rpm packages from SuSE sources."
    echo "The keyring containing the SuSE rpm package signing key can be found"
    echo "in the root directory of the first CD (DVD) of your SuSE product."
    exit -1
fi
### import suse package build key to roots gpg keyring
if test -f root/.gnupg/pubring.gpg ; then
   chroot . usr/bin/gpg --export --armor --no-default-keyring \
                   --keyring %{susering} build@suse.de \
        | chroot . usr/bin/gpg --import || true
   if ! chroot . usr/bin/gpg --list-keys build@suse.de >/dev/null 2>&1 ; then
      echo "gpg import for build@suse.de failed, please import manually" >&2
   fi
else
   cp %{susering} root/.gnupg/pubring.gpg
fi
chmod 600 root/.gnupg/pubring.gpg

%changelog