Limit diff to ~10 lines

Also include content of added files.

autospec/cmake_modules

@@ -289,7 +289,6 @@ LibIcal, libical-dev
 LibKEduVocDocument, libkeduvocdocument-dev
 LibKWorkspace, plasma-workspace-dev
 LibKompareDiff2, libkomparediff2-dev
-LibLZMA, xz-dev
 LibNotificationManager, plasma-workspace-dev
 LibObs, obs-studio-dev
 LibTaskManager, plasma-workspace-dev

autospec/config.py

@@ -115,12 +115,15 @@ class Config(object):
         self.old_keyid = None
         self.profile_payload = None
         self.signature = None
+        self.signature_macro = None
+        self.pkey_macro = None
         self.yum_conf = None
         self.failed_pattern_dir = None
         self.alias = None
         self.failed_commands = {}
         self.ignored_commands = {}
         self.gems = {}
+        self.keyid_blocklist = {}
         self.license_hashes = {}
         self.license_translations = {}
         self.license_blacklist = {}
@@ -603,6 +606,7 @@ class Config(object):
         read_pattern_conf("license_blacklist", self.license_blacklist, list_format=True, path=path)
         read_pattern_conf("qt_modules", self.qt_modules, path=path)
         read_pattern_conf("cmake_modules", self.cmake_modules, path=path)
+        read_pattern_conf("keyid_blocklist", self.keyid_blocklist, list_format=True, path=path)
 
     def parse_existing_spec(self, name):
         """Determine the old version, old patch list, old keyid, and cves from old spec file."""

autospec/failed_commands

@@ -76,7 +76,6 @@
 -lkrb5, krb5-dev
 -lldap, openldap-dev
 -lldb, ldb-dev
--llzma, xz-dev
 -llzo, lzo-dev
 -lmagic, file-dev
 -lmenu, ncurses-dev
@@ -512,7 +511,6 @@ LIBGCRYPT - version >= 1.5.0, libgcrypt-dev
 LIBGD, libgd-dev
 LIBICAL, libical-dev
 LIBKONQ, kde-baseapps-dev
-LIBLZMA, xz-dev
 LIBNOTIFY, libnotify-dev
 LIBPCREVERSION, pcre-dev
 LIBRSVG, librsvg-dev
@@ -534,7 +532,6 @@ LibExiv2, pkgconfig(exiv2)
 LibKEduVocDocument, libkeduvocdocument-dev
 LibKWorkspace, plasma-workspace-dev
 LibKrb5, krb5-dev
-LibLZMA, xz-dev
 LibR, R-dev
 LibSSH, libssh-dev
 LibXml2, libxml2-dev
@@ -1100,7 +1097,6 @@ libhandy-0.0, libhandy-dev
 libiberty.h, binutils-dev
 libkmod.h, kmod-dev
 libksba, libksba-dev
-liblzma, xz-dev
 libmnl/libmnl.h, libmnl-dev
 libmpfr, mpfr-dev
 libmspack >= 0.0.20040308alpha (via pkg-config), libmspack-dev
@@ -1161,8 +1157,6 @@ lxqt-build-tools, lxqt-build-tools
 lxqt-globalkeys, lxqt-globalkeys-dev
 lxqt-globalkeys-ui, lxqt-globalkeys-dev
 lz4.h, lz4-dev
-lzma, xz-dev
-lzma.h, xz-dev
 lzo/lzoconf.h, lzo-dev
 magic, file-dev
 magic.h, file-dev

autospec/git.py

@@ -113,6 +113,7 @@ def commit_to_git(config, name, success):
     call("git add whatrequires", check=False, stderr=subprocess.DEVNULL, cwd=path)
     call("git add description", check=False, stderr=subprocess.DEVNULL, cwd=path)
     call("git add attrs", check=False, stderr=subprocess.DEVNULL, cwd=path)
+    call("git add archive.diff", check=False, stderr=subprocess.DEVNULL, cwd=path)
 
     # remove deprecated config files
     call("git rm make_install_append", check=False, stderr=subprocess.DEVNULL, cwd=path)

autospec/keyid_blocklist

@@ -0,0 +1 @@
+59FCF207FEA7F445

autospec/pkg_integrity.py

@@ -483,6 +483,10 @@ class GPGVerifier(Verifier):
             return None
         # valid signature exists at package_sign_path, operate on it now
         keyid = get_keyid(self.package_sign_path)
+        if keyid in self.config.keyid_blocklist:
+            self.print_result(False, err_msg='KNOWNBADACTOR: {}'.format(keyid))
+            self.quit()
+
         # default location first
         pubkey_loc = self.pubkey_path.format(keyid)
         cache_key = os.path.join(KEY_CACHE_DIR, pubkey_loc)

autospec/specfiles.py

@@ -159,8 +159,17 @@ class Specfile(object):
 
         # if package is verified, include the signature in the source tarball
         if self.keyid and self.config.signature:
+            # We'll need gnupg to verify the signature. Need to add it here so it's ready before write_buildreq
+            self.requirements.add_buildreq("gnupg")
+
             count += 1
             self._write_strip(f"Source{count}  : {self.config.signature}")
+            self.config.signature_macro = f"%{{SOURCE{count}}}"
+
+            # Also include the public key in the source tarball.
+            count += 1
+            self._write_strip(f"Source{count}  : {self.keyid}.pkey")
+            self.config.pkey_macro = f"%{{SOURCE{count}}}"
 
         for source in self.config.extra_sources:
             count += 1
@@ -430,6 +439,12 @@ class Specfile(object):
     def write_prep(self):
         """Write prep section to spec file."""
         self._write_strip("%prep")
+        if self.keyid and self.config.signature:
+            self._write_strip("mkdir .gnupg")
+            self._write_strip("chmod 700 .gnupg")
+            self._write_strip(f"gpg --homedir .gnupg --import {self.config.pkey_macro}")
+            self._write_strip(f"gpg --homedir .gnupg --status-fd 1 --verify {self.config.signature_macro} %{{SOURCE0}} > gpg.status")
+            self._write_strip(f"grep -E '^\\[GNUPG:\\] (GOODSIG|EXPKEYSIG) {self.keyid}' gpg.status")
         self.write_prep_prepend()
         prefix = self.content.prefixes[self.url]
         if self.config.default_pattern == 'R':

autospec/tarball.py

@@ -26,7 +26,7 @@ import tarfile
 import zipfile
 
 import download
-from util import do_regex, get_sha1sum, print_fatal, write_out
+from util import call, do_regex, get_sha1sum, print_fatal, write_out
 
 
 class Source():
@@ -135,7 +135,7 @@ def convert_version(ver_str, name):
     # them out with expensive regular expressions
     banned_subs = ["x86.64", "source", "src", "all", "bin", "release", "rh",
                    "ga", ".ce", "lcms", "onig", "linux", "gc", "sdk", "orig",
-                   "jurko", "%2f", "%2F", "%20"]
+                   "jurko", "%2f", "%2F", "%20", "x265"]
 
     # package names may be modified in the version string by adding "lib" for
     # example. Remove these from the name before trying to remove the name from
@@ -184,6 +184,7 @@ class Content():
         self.prefixes = dict()
         self.config = config
         self.base_path = base_path
+        self.autogenerated_tarball = None
 
     def write_upstream(self, sha, tarfile, mode="w"):
         """Write the upstream hash to the upstream file."""
@@ -213,6 +214,14 @@ class Content():
         main_src = Source(url, '', src_path, self.config.default_pattern)
         return main_src
 
+    def process_autogenerated_source(self, url):
+        """Download any autogenerated source tarball for comparison."""
+        autogenerated_src = None
+        if url:
+            src_path = self.check_or_get_file(url, os.path.basename(url), mode="")
+            autogenerated_src = Source(url, '../autogenerated-tmp', src_path, self.config.default_pattern)
+        return autogenerated_src
+
     def print_header(self):
         """Print header for autospec run."""
         print("\n")
@@ -295,6 +304,9 @@ class Content():
                     name = re.sub(r"release-", '', name)
                     name = re.sub(r"\d*$", '', name)
                 self.rawname = name
+                # Identify the auto-generated tarball URL for comparison
+                if "/releases/download/" in self.url:
+                    self.autogenerated_tarball = "https://github.com/" + match.group(1).strip() + "/" + self.repo + "/archive/refs/tags/" + match.group(3).strip() + ".tar.gz"
                 version = match.group(3).replace(name, '')
                 if "/archive/" not in self.url:
                     version = re.sub(r"^[-_.a-zA-Z]+", "", version)
@@ -427,3 +439,15 @@ class Content():
         archives_src = self.process_archives()
         # Extract all sources
         self.extract_sources(main_src, archives_src)
+        # Download and process any auto-generated source-tree archive for comparison
+        autogenerated_src = self.process_autogenerated_source(self.autogenerated_tarball)
+        # Extract autogenerated source for comparison
+        if autogenerated_src:
+            autogenerated_src.extract(os.path.join(self.base_path, 'autogenerated-tmp'))
+            # Move the autogenerated source to a non-version-named directory for consistent diffs
+            call(f"mv autogenerated-tmp/{autogenerated_src.prefix} autogenerated", check=True, cwd=self.base_path)
+            call("diff -u -r --unidirectional-new-file ../autogenerated ./",
+                 logfile="archive.diff.in", check=False, cwd=os.path.join(self.base_path, main_src.prefix))
+            call("grep -A14 -E '^(diff|Only in)' archive.diff.in",
+                 logfile="archive.diff", check=False, cwd=os.getcwd())
+            call("rm archive.diff.in", check=False, cwd=os.getcwd())

autospec/util.py

@@ -150,8 +150,9 @@ def binary_in_path(binary):
 
 def write_out(filename, content, mode="w"):
     """File.write convenience wrapper."""
-    with open_auto(filename, mode) as require_f:
-        require_f.write(content)
+    if mode:
+        with open_auto(filename, mode) as require_f:
+            require_f.write(content)
 
 
 def open_auto(*args, **kwargs):