From Fedora Project Wiki

(initial draft)
 
Line 1: Line 1:
Proposal to address concerns that the upstream source tarballs may get compromised at some point in time (including while in our SCM lookaside cache).  UnrealIRCd is currently facing such a problem.
+
== Rationale ==
  
# Include the upstream source's tarball GPG signature file as a SourceN file in the spec.
+
Many upstream source releases are accompanied by a PGP signature. It is possible for source tarballs to be compromised at any point in time, from the download site or within the Fedora lookaside cache.
# Include the upstream GPG public key as a SourceN file in the spec.
 
# Commit the upstream GPG public key to the SCM.  Do not copy it into the lookaside cache.  (Subject to debate).
 
# Commit the GPG signature file to the SCM.  Do not copy it into the lookaside cache.  (Subject to debate).
 
# Add capability to rpmbuild to import the GPG key and verify that the GPG signature matches.  rpmbuild cannot (and need not) validate GPG key ownership.
 
# Add capability to rpmlint to import the GPG key and verify that the GPG signature matches in the SRPM.  rpmlint cannot (and need not) validate GPG key ownership.
 
  
 +
Fedora packages should, as a matter of course, validate any available signature on the source files used for building.
 +
 +
== Proposal ==
 +
 +
I propose to add a new section to the guidelines, perhaps between the existing [https://fedoraproject.org/wiki/Packaging:Guidelines#Use_of_pregenerated_code Use of pregenerated code][ and [https://fedoraproject.org/wiki/Packaging:Guidelines#Spec_File_Naming Spec File Naming] sections. It should read as follows:
 +
 +
=== Source file verification ===
 +
 +
Where PGP or equivalent signatures are published by the upstream project, Fedora packages '''MUST''' validate that signature as part of the RPM build process, preferably in the <code>%prep</code> section of the spec file. Any detached signature file ''(e.g. <code>foo.tar.gz.asc</code> or <code>foo.tar.gz.sig</code>)'' can be uploaded to the package lookaside cache alongside the source code, while the PGP key itself should be committed directly to package SCM.
 +
 +
For instance:
 +
<pre>
 +
Source0: ftp://ftp.example.com/pub/foo/%{name}-%{version}.tar.gz
 +
Source1: ftp://ftp.example.com/pub/foo/%{name}-%{version}.tar.gz.asc
 +
Source2: gpgkey-0123456789ABCDEF0123456789ABCDEF.gpg
 +
 +
BuildRequires: gnupg2
 +
 +
%prep
 +
gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
 +
</pre>
  
 
[[Category:Packaging_guidelines_drafts]]
 
[[Category:Packaging_guidelines_drafts]]

Revision as of 12:39, 22 March 2016

Rationale

Many upstream source releases are accompanied by a PGP signature. It is possible for source tarballs to be compromised at any point in time, from the download site or within the Fedora lookaside cache.

Fedora packages should, as a matter of course, validate any available signature on the source files used for building.

Proposal

I propose to add a new section to the guidelines, perhaps between the existing Use of pregenerated code[ and Spec File Naming sections. It should read as follows:

Source file verification

Where PGP or equivalent signatures are published by the upstream project, Fedora packages MUST validate that signature as part of the RPM build process, preferably in the %prep section of the spec file. Any detached signature file (e.g. foo.tar.gz.asc or foo.tar.gz.sig) can be uploaded to the package lookaside cache alongside the source code, while the PGP key itself should be committed directly to package SCM.

For instance:

Source0: ftp://ftp.example.com/pub/foo/%{name}-%{version}.tar.gz
Source1: ftp://ftp.example.com/pub/foo/%{name}-%{version}.tar.gz.asc
Source2: gpgkey-0123456789ABCDEF0123456789ABCDEF.gpg
…
BuildRequires: gnupg2
…
%prep
gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}