Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package rekor for openSUSE:Factory checked in at 2022-06-30 13:18:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rekor (Old) and /work/SRC/openSUSE:Factory/.rekor.new.1548 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "rekor" Thu Jun 30 13:18:16 2022 rev:7 rq:985790 version:0.8.1 Changes: -------- --- /work/SRC/openSUSE:Factory/rekor/rekor.changes 2022-06-20 15:39:11.939028278 +0200 +++ /work/SRC/openSUSE:Factory/.rekor.new.1548/rekor.changes 2022-06-30 13:18:22.757534145 +0200 @@ -1,0 +2,6 @@ +Wed Jun 29 12:26:43 UTC 2022 - Marcus Meissner <meissner@suse.com> + +- rekor-zypper-verify.sh: add a small script that verifies the on-system + zypper repo cache against rekor transparency log. + +------------------------------------------------------------------- New: ---- rekor-zypper-verify.sh ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rekor.spec ++++++ --- /var/tmp/diff_new_pack.1YmLM2/_old 2022-06-30 13:18:23.225534496 +0200 +++ /var/tmp/diff_new_pack.1YmLM2/_new 2022-06-30 13:18:23.229534500 +0200 @@ -27,6 +27,7 @@ URL: https://github.com/sigstore/rekor Source: https://github.com/sigstore/rekor/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: vendor.tar.xz +Source2: rekor-zypper-verify.sh BuildRequires: golang-packaging BuildRequires: golang(API) %{go_nostrip} @@ -55,6 +56,7 @@ for app in %{apps} ; do install -D -m 0755 rekor-${app} %{buildroot}%{_bindir}/rekor-${app} done +install -m 0755 %SOURCE2 %{buildroot}%{_bindir}/rekor-zypp-verify %files %license LICENSE ++++++ rekor-zypper-verify.sh ++++++ #!/bin/bash # # This scripts verifies presence of the current repomd signatures in the rekor log # for each of existing libzypp tracked repos. # zypper -q refresh for repo in /etc/zypp/repos.d/*.repo do if grep enabled=1 $repo >/dev/null; then repodirname=`grep '^\[' "$repo"|sed -e 's/.*\[//;s/\].*//;'` name="`grep ^name= $repo|sed -e 's/name=//;'`" if [ "x$name" == "x" ]; then name="$repodirname" fi # echo "name: $name, repodirname $repodirname" repodata="/var/cache/zypp/raw/$repodirname/repodata" if [ -d "$repodata" ]; then if rekor-cli verify --artifact "$repodata/repomd.xml" --signature "$repodata/repomd.xml.asc" --public-key "$repodata/repomd.xml.key" >/dev/null 2>&1; then echo "$name repomd.xml signature is in rekor log" else echo "$name repomd.xml signature is NOT in rekor log" fi else echo "$name has no repodata/ directory in $repodata, not a RPM-MD repository?" fi fi done