Björn Persson <> changed:

           What    |Removed                     |Added
                 CC|                            |

--- Comment #22 from Björn Persson <> ---
Cryptocurrency wallets are very juicy targets for criminals, so it's paramount
that you do everything you can to prevent and detect attempts to inject malware
into the package.

First, never use insecure HTTP if HTTPS is available.

Second, verify upstream's signature before unpacking the tarball. Unfortunately
they sign it in an indirect way that our handy verifier script doesn't expect.
That makes the verification code a bit tricky, so I have written it for you.

These are the changes you need to make:

--- bitcoin.spec.old    2020-06-30 12:57:18.000000000 +0200
+++ bitcoin.spec        2020-07-06 15:48:51.656323998 +0200
@@ -7,9 +7,9 @@
 Release:    2%{?dist}
 Summary:    Peer to Peer Cryptographic Currency
 License:    MIT

 Source1:    %{name}-tmpfiles.conf
 Source2:    %{name}.sysconfig
 Source3:    %{name}.service
@@ -20,12 +20,16 @@
 Source8:    README.server.redhat
 Source9:    README.utils.redhat
 Source10:   README.gui.redhat

 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  boost-devel
 BuildRequires:  checkpolicy
 BuildRequires:  desktop-file-utils
+BuildRequires:  gnupg2
+BuildRequires:  grep
 BuildRequires:  java
 BuildRequires:  libdb4-cxx-devel
 BuildRequires:  libevent-devel
@@ -76,7 +80,7 @@
 may be used by third party software to provide consensus verification

-Unless you know need this package, you probably do not.
+Unless you know you need this package, you probably do not.

 %package devel
 Summary:    Peer-to-peer digital currency
@@ -126,6 +130,15 @@
 need this package.

+gpgworkdir="$(mktemp --directory)"
+# Decode the ASCII armor on the keyring.
+gpg2 --homedir="${gpgworkdir}" --yes --output="${gpgworkdir}/keyring.gpg"
--dearmor '%{SOURCE12}'
+# Verify the signature on the checksums file using the decoded keyring.
+gpgv2 --homedir="${gpgworkdir}" --keyring="${gpgworkdir}/keyring.gpg"
+# Verify the tarball using the checksums file minus the signature.
+( cd '%{_sourcedir}' && grep bitcoin '%{SOURCE11}' | sha256sum --check
--ignore-missing - )
+rm --recursive --force ${gpgworkdir}
 %autosetup -a 4 -p1
 mv packaging-*/debian/* contrib/debian/

You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
package-review mailing list --
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:

Reply via email to