Merge pull request #321 from bcressey/gpg-verify

add GPG verification where possible

Author: bcressey

.gitignore

@@ -18,3 +18,9 @@
 *.run
 /tests
 Twoliter.override
+packages/*/*.asc
+packages/*/*-asc.txt
+packages/*/*.sig
+packages/*/*-sig.txt
+packages/*/*.sign
+!packages/*/gpgkey-*.asc

packages/amazon-ecs-cni-plugins/Cargo.toml

@@ -8,6 +8,10 @@ build = "../build.rs"
 [lib]
 path = "../packages.rs"
 
+[package.metadata.build-package]
+# Use the Git submodule commit from aws/amazon-ecs-agent rather than an upstream release.
+releases-url = "https://github.com/aws/amazon-ecs-agent/commits/master/amazon-ecs-cni-plugins"
+
 [[package.metadata.build-package.external-files]]
 # This is locked against the version shipped in ecs-agent
 # Verify that the ecs-agent version shipped in bottlerocket tracks the same one here

packages/amazon-ssm-agent/Cargo.toml

@@ -8,6 +8,9 @@ build = "../build.rs"
 [lib]
 path = "../packages.rs"
 
+[package.metadata.build-package]
+releases-url = "https://github.com/aws/amazon-ssm-agent/releases"
+
 [[package.metadata.build-package.external-files]]
 url = "https://github.com/aws/amazon-ssm-agent/archive/3.3.1345.0/amazon-ssm-agent-3.3.1345.0.tar.gz"
 sha512 = "c147a59509db081c5bc8d7aeca6870fb1e907b252e62513164935549a11d4276dda7c214d349af9d9e7cf136058e0cd9cd77e15088b5fd38ae14c0472a064923"

packages/amazon-vpc-cni-plugins/Cargo.toml

@@ -8,6 +8,10 @@ build = "../build.rs"
 [lib]
 path = "../packages.rs"
 
+[package.metadata.build-package]
+# Use the Git submodule commit from aws/amazon-ecs-agent rather than an upstream release.
+releases-url = "https://github.com/aws/amazon-ecs-agent/commits/master/amazon-vpc-cni-plugins"
+
 [[package.metadata.build-package.external-files]]
 url = "https://github.com/aws/amazon-vpc-cni-plugins/archive/be5214353252f8315a1341f4df9ffbd8cf69000c/amazon-vpc-cni-plugins.tar.gz"
 sha512 = "b1aa61d0000ff732dae67213cea2eac49363c048416716e27f36b2b43f6227db8b15ead27c43c5fd623569a49572cb6b2149c86d69363f75cec4620ddc9ef47b"

packages/aws-otel-collector/Cargo.toml

@@ -8,6 +8,9 @@ build = "../build.rs"
 [lib]
 path = "../packages.rs"
 
+[package.metadata.build-package]
+releases-url = "https://github.com/aws-observability/aws-otel-collector/releases"
+
 [[package.metadata.build-package.external-files]]
 url = "https://github.com/aws-observability/aws-otel-collector/archive/v0.41.1/aws-otel-collector-v0.41.1.tar.gz"
 sha512 = "8e6436e4cec7d4f02468ad69fd6b26c97a9b592083da2725daa0b4c4777c34b2127dadc217c13be7c8de53bde021165aacbc1e5fecbd9ae0cae26d9fea8327e4"

packages/bash/Cargo.toml

@@ -15,6 +15,10 @@ releases-url = "https://ftp.gnu.org/gnu/bash"
 url = "https://ftp.gnu.org/gnu/bash/bash-5.2.37.tar.gz"
 sha512 = "c07e2715cca7c3c8435fcb13aaf2968671f10f9e1fe5edd7c63d7e34fb821c159087b70386e17bdda723d8223057b53810e75eb249b03ebfc847147b06a8101f"
 
+[[package.metadata.build-package.external-files]]
+url = "https://ftp.gnu.org/gnu/bash/bash-5.2.37.tar.gz.sig"
+sha512 = "5700135e0f6ddb86e577445eeead7ee07df80d00b751ef2c3332b7af76a1f0d7c69be5f72790ce37249d0652532232d1bc8e1e7cb73c105da7337fc5f5c1f539"
+
 [build-dependencies]
 glibc = { path = "../glibc" }
 libncurses = { path = "../libncurses" }

packages/bash/bash.spec

@@ -5,6 +5,8 @@ Summary: The GNU Bourne Again shell
 License: GPL-3.0-or-later
 URL: https://www.gnu.org/software/bash
 Source0: https://ftp.gnu.org/gnu/bash/bash-%{version}.tar.gz
+Source1: https://ftp.gnu.org/gnu/bash/bash-%{version}.tar.gz.sig
+Source2: gpgkey-7C0135FB088AAF6C66C650B9BB5869F064EA74AB.asc
 
 # Disable loadable builtin examples
 Patch127: bash-4.4-no-loadable-builtins.patch
@@ -26,6 +28,7 @@ Requires: %{name}
 %{summary}.
 
 %prep
+%{gpgverify} --data=%{S:0} --signature=%{S:1} --keyring=%{S:2}
 %autosetup -n bash-%{version} -p1
 
 echo %{version} > _distribution

packages/bash/gpgkey-7C0135FB088AAF6C66C650B9BB5869F064EA74AB.asc

@@ -0,0 +1,23 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGiBEEOsGwRBACFa0A1oa71HSZLWxAx0svXzhOZNQZOzqHmSuGOG92jIpQpr8Dp
+vgRh40YpAwdcXb8QG1J5yGAKeevNE1zCFaA725vGSdHUyypHouV0xoWwukYO6qly
+yX+2BZU+okBUqoWQkoWxiYaCSfzB2Ln7pmdys1fJhcgBKf3VjWCjd2XJTwCgoFJO
+wyBFJdugjfwjSoRSwDOIMf0D/iQKqlWhIO1LGpMrGX0il0/x4zj0NAcSwAk7LaPZ
+bN4UPjn5pqGEHBlf1+xDDQCkAoZ/VqESGZragl4VqJfxBr29Ag0UDvNbUbXoxQsA
+Rdero1M8GiAIRc50hj7HXFoERwenbNDJL86GPLAQOTGOCa4W2o29nFfFjQrsrrYH
+zVtyA/9oyKvTeEMJ7NA3VJdWcmn7gOu0FxEmSNhSoV1T4vP21Wf7f5niCCRKQLNy
+Uy0wEApQi4tSysdz+AbgAc0b/bHYVzIf2uO2lIEZQNNt+3g2bmXgloWmW5fsm/di
+50Gm1l1Na63d3RZ00SeFQos6WEwLUHEB0yp6KXluXLLIZitEJLQaQ2hldCBSYW1l
+eSA8Y2hldEBjd3J1LmVkdT6IZgQTEQIAHgUCQQ6wbAIbAwYLCQgHAwIDFQIDAxYC
+AQIeAQIXgAASCRC7WGnwZOp0qwdlR1BHAAEBzs0An30UTMW8N1jOoJzNcXoopeLt
+g3k4AJ9pwNiyhlyeezLsSMFkvTPAbBv+wbkBDQRBDrBvEAQAkK6TAOKBEM+EC4j6
+V/7o/riVZqcgU5cid2qG9TXdwNtD9a3kvA/ObZBO93sX59wc6Bnwo4VJxsOmMlpG
+rAjJsxNwg3QHakEtf8LXRbVpj5xStdmBdQZUhIQyalo/2/TZq5OijtddUQcL5cs7
+0hTv/FpT3wUvr2Xr8rjF41IFEz8AAwcD/A0CZEGlzIrT5WCBnl6xBog/8vKiUCba
+rByat3d1mL6DbizvKNXQRTC9E/vEdENAWCQCjr75Bu55xT8n3SXGtWdDC5xmZ/P3
+OBYORP8yl8H8I1FIosWOFirbIeYdZPq8SPD1HL+EXo9zSiHVrrZRJ19ooCKKbSdX
+HFCY+aJG+0KZiFEEGBECAAkFAkEOsG8CGwwAEgkQu1hp8GTqdKsHZUdQRwABAeNw
+AJ9mWRUIPBrP81M71zLe3r2halU83ACdHB7SqT9Yv+B+EffjrGHkHccVsU0=
+=X3tm
+-----END PGP PUBLIC KEY BLOCK-----

packages/binutils/Cargo.toml

@@ -8,10 +8,17 @@ build = "../build.rs"
 [lib]
 path = "../packages.rs"
 
+[package.metadata.build-package]
+releases-url = "https://mirrors.kernel.org/gnu/binutils/"
+
 [[package.metadata.build-package.external-files]]
 url = "https://mirrors.kernel.org/gnu/binutils/binutils-2.41.tar.xz"
 sha512 = "5df45d0bd6ddabdce4f35878c041e46a92deef01e7dea5facc97fd65cc06b59abc6fba0eb454b68e571c7e14038dc823fe7f2263843e6e627b7444eaf0fe9374"
 
+[[package.metadata.build-package.external-files]]
+url = "https://mirrors.kernel.org/gnu/binutils/binutils-2.41.tar.xz.sig"
+sha512 = "e86b940a1fa73775236fe8e7cf824625c6add59072fe7948a7de8f613bb1bbbbb7108e4f9651cb0f606007f4180a0fe13911d84c70149e82242169e4ce5892e2"
+
 [build-dependencies]
 glibc = { path = "../glibc" }
 libz = { path = "../libz" }

packages/binutils/binutils.spec

@@ -6,6 +6,8 @@ Summary: Tools for working with binaries
 URL: https://sourceware.org/binutils
 License: GPL-2.0-or-later AND LGPL-2.0-or-later AND GPL-3.0-or-later
 Source0: https://ftp.gnu.org/gnu/binutils/binutils-%{version}.tar.xz
+Source1: https://ftp.gnu.org/gnu/binutils/binutils-%{version}.tar.xz.sig
+Source2: gpgkey-3A24BC1E8FB409FA9F14371813FCEF89DD9E3C4F.asc
 Requires: %{_cross_os}libz
 BuildRequires: %{_cross_os}glibc-devel
 BuildRequires: %{_cross_os}libz-devel
@@ -21,6 +23,7 @@ Requires: %{name}
 %{summary}.
 
 %prep
+%{gpgverify} --data=%{S:0} --signature=%{S:1} --keyring=%{S:2}
 %autosetup -n binutils-%{version} -p1
 
 %build