Many upstream source releases are accompanied by a PGP signature. It is possible for source tarballs to be compromised at any point in time, from the download site or within the Fedora lookaside cache.

Fedora packages should, as a matter of course, validate any available signature on the source files used for building.


I propose to add a new section to the guidelines. It should read as follows:

Source file verification

Where PGP or equivalent signatures are published by the upstream project, Fedora packages MUST validate that signature as part of the RPM build process, preferably in the %prep section of the spec file. Any detached signature file (e.g. foo.tar.gz.asc or foo.tar.gz.sig) can be uploaded to the package lookaside cache alongside the source code, while the PGP key itself should be committed directly to package SCM.

For instance:

Source2: gpgkey-0123456789ABCDEF0123456789ABCDEF.gpg
BuildRequires: gnupg2
gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}