Ben Grande fc22726ee8
feat: build and sign RPM packages
Passing files to Dom0 is always dangerous:

- Passing a git repository is dangerous as it can have ignored modified
  files and signature verification will pass.
- Passing an archive is troublesome for updates.
- Passing an RPM package depends on the RPM verification to be correct,
  some times it is not.
- Passing a RPM repository definition is less troublesome for the user,
  as it is a small file to verify the contents and update mechanism is
  via the package manager. Trust in RPM verification is still required.

Many improvements were made to the build scripts:

- requires-program: Single function to check if program is installed;
- spec-get: Sort project names for the usage message;
- spec-get: Only running commands that are necessary;
- spec-get: Fix empty summary when readme has copyright header;
- spec-gen: Fix grep warning of escaped symbol;
- spec-build: Sign RPM and verify signature;
- spec-build: Only lint the first SPEC for faster runtime;
- yumrepo-gen: Generate a local yum repository with signed metadata;
- qubesbuilder-gen: Generate a .qubesbuilder based on tracked projects;
- release: Build, sign and push all RPMs to repository.

Goal is to be able to build with qubes-builderv2 Qubes Executor.

For: https://github.com/ben-grande/qusal/issues/37
2024-06-12 14:44:04 +02:00

88 lines
2.1 KiB
RPMSpec

# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
%define file_roots %(./scripts/spec-get.sh @PROJECT@ file_roots)
%define my_name %(./scripts/spec-get.sh @PROJECT@ name)
%define branch %(./scripts/spec-get.sh @PROJECT@ branch)
%define project %(./scripts/spec-get.sh @PROJECT@ project)
%define summary %(./scripts/spec-get.sh @PROJECT@ summary)
%define group %(./scripts/spec-get.sh @PROJECT@ group)
%define vendor %(./scripts/spec-get.sh @PROJECT@ vendor)
%define license_csv %(./scripts/spec-get.sh @PROJECT@ license_csv)
%define license %(./scripts/spec-get.sh @PROJECT@ license)
%define url %(./scripts/spec-get.sh @PROJECT@ url)
%define my_description %(./scripts/spec-get.sh @PROJECT@ description)
Name: %{project}
Version: @VERSION@
Release: 1%{?dist}
Summary: %{summary}
Group: %{group}
Vendor: %{vendor}
License: %{license}
URL: %{url}
Source0: %{project}
BuildArch: noarch
Requires: qubes-mgmt-salt
Requires: qubes-mgmt-salt-dom0
@REQUIRES@
%description
%{my_description}
%prep
%build
%install
rm -rf %{buildroot}
mkdir -p %{buildroot}%{file_roots} %{buildroot}/usr/share/licenses/%{project}
mv -v %{project}/LICENSES/* %{buildroot}/usr/share/licenses/%{project}/
rm -rv %{project}/LICENSES
cp -rv %{project} %{buildroot}%{file_roots}/%{my_name}
%check
%pre
%post
if test "$1" = "1"; then
## Install
@POST_INSTALL@
elif test "$1" = "2"; then
## Upgrade
@POST_UPGRADE@
fi
%preun
if test "$1" = "0"; then
## Uninstall
@PREUN_UNINSTALL@
elif test "$1" = "1"; then
## Upgrade
@PREUN_UPGRADE@
fi
%postun
if test "$1" = "0"; then
## Uninstall
@POSTUN_UNINSTALL@
elif test "$1" = "1"; then
## Upgrade
@POSTUN_UPGRADE@
fi
%files
%defattr(-,root,root,-)
%license /usr/share/licenses/%{project}/*
%dir %{file_roots}/%{my_name}
%doc %{file_roots}/%{my_name}/README.md
%exclude %{file_roots}/%{my_name}/README.md
%{file_roots}/%{my_name}/*
%changelog
@CHANGELOG@