https://bugzilla.redhat.com/show_bug.cgi?id=1834731

Björn Persson <bj...@xn--rombobjrn-67a.se> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bj...@xn--rombobjrn-67a.se



--- Comment #22 from Björn Persson <bj...@xn--rombobjrn-67a.se> ---
Cryptocurrency wallets are very juicy targets for criminals, so it's paramount
that you do everything you can to prevent and detect attempts to inject malware
into the package.

First, never use insecure HTTP if HTTPS is available.

Second, verify upstream's signature before unpacking the tarball. Unfortunately
they sign it in an indirect way that our handy verifier script doesn't expect.
That makes the verification code a bit tricky, so I have written it for you.

These are the changes you need to make:

--- bitcoin.spec.old    2020-06-30 12:57:18.000000000 +0200
+++ bitcoin.spec        2020-07-06 15:48:51.656323998 +0200
@@ -7,9 +7,9 @@
 Release:    2%{?dist}
 Summary:    Peer to Peer Cryptographic Currency
 License:    MIT
-URL:        http://bitcoin.org/
+URL:        https://bitcoin.org/

-Source0:   
http://github.com/%{name}/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
+Source0:   
https://github.com/%{name}/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
 Source1:    %{name}-tmpfiles.conf
 Source2:    %{name}.sysconfig
 Source3:    %{name}.service
@@ -20,12 +20,16 @@
 Source8:    README.server.redhat
 Source9:    README.utils.redhat
 Source10:   README.gui.redhat
+Source11:   https://bitcoin.org/bin/bitcoin-core-%{version}/SHA256SUMS.asc
+Source12:   https://bitcoin.org/laanwj-releases.asc

 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  boost-devel
 BuildRequires:  checkpolicy
 BuildRequires:  desktop-file-utils
+BuildRequires:  gnupg2
+BuildRequires:  grep
 BuildRequires:  java
 BuildRequires:  libdb4-cxx-devel
 BuildRequires:  libevent-devel
@@ -76,7 +80,7 @@
 may be used by third party software to provide consensus verification
 functionality.

-Unless you know need this package, you probably do not.
+Unless you know you need this package, you probably do not.

 %package devel
 Summary:    Peer-to-peer digital currency
@@ -126,6 +130,15 @@
 need this package.

 %prep
+gpgworkdir="$(mktemp --directory)"
+# Decode the ASCII armor on the keyring.
+gpg2 --homedir="${gpgworkdir}" --yes --output="${gpgworkdir}/keyring.gpg"
--dearmor '%{SOURCE12}'
+# Verify the signature on the checksums file using the decoded keyring.
+gpgv2 --homedir="${gpgworkdir}" --keyring="${gpgworkdir}/keyring.gpg"
'%{SOURCE11}'
+# Verify the tarball using the checksums file minus the signature.
+( cd '%{_sourcedir}' && grep bitcoin '%{SOURCE11}' | sha256sum --check
--ignore-missing - )
+rm --recursive --force ${gpgworkdir}
+
 %autosetup -a 4 -p1
 mv packaging-*/debian/* contrib/debian/


-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
_______________________________________________
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org

Reply via email to