Add gnupg as a buildreq if we'll need it during build

Add gpg commands to the specfile so we verify the package signature
during every rpmbuild. Also ensure that the signature key ID matches
what we expect.

autospec/cmake_modules

@@ -289,7 +289,6 @@ LibIcal, libical-dev
 LibKEduVocDocument, libkeduvocdocument-dev
 LibKWorkspace, plasma-workspace-dev
 LibKompareDiff2, libkomparediff2-dev
-LibLZMA, xz-dev
 LibNotificationManager, plasma-workspace-dev
 LibObs, obs-studio-dev
 LibTaskManager, plasma-workspace-dev

autospec/config.py

@@ -115,6 +115,8 @@ class Config(object):
         self.old_keyid = None
         self.profile_payload = None
         self.signature = None
+        self.signature_macro = None
+        self.pkey_macro = None
         self.yum_conf = None
         self.failed_pattern_dir = None
         self.alias = None

autospec/failed_commands

@@ -76,7 +76,6 @@
 -lkrb5, krb5-dev
 -lldap, openldap-dev
 -lldb, ldb-dev
--llzma, xz-dev
 -llzo, lzo-dev
 -lmagic, file-dev
 -lmenu, ncurses-dev
@@ -512,7 +511,6 @@ LIBGCRYPT - version >= 1.5.0, libgcrypt-dev
 LIBGD, libgd-dev
 LIBICAL, libical-dev
 LIBKONQ, kde-baseapps-dev
-LIBLZMA, xz-dev
 LIBNOTIFY, libnotify-dev
 LIBPCREVERSION, pcre-dev
 LIBRSVG, librsvg-dev
@@ -534,7 +532,6 @@ LibExiv2, pkgconfig(exiv2)
 LibKEduVocDocument, libkeduvocdocument-dev
 LibKWorkspace, plasma-workspace-dev
 LibKrb5, krb5-dev
-LibLZMA, xz-dev
 LibR, R-dev
 LibSSH, libssh-dev
 LibXml2, libxml2-dev
@@ -1100,7 +1097,6 @@ libhandy-0.0, libhandy-dev
 libiberty.h, binutils-dev
 libkmod.h, kmod-dev
 libksba, libksba-dev
-liblzma, xz-dev
 libmnl/libmnl.h, libmnl-dev
 libmpfr, mpfr-dev
 libmspack >= 0.0.20040308alpha (via pkg-config), libmspack-dev
@@ -1161,8 +1157,6 @@ lxqt-build-tools, lxqt-build-tools
 lxqt-globalkeys, lxqt-globalkeys-dev
 lxqt-globalkeys-ui, lxqt-globalkeys-dev
 lz4.h, lz4-dev
-lzma, xz-dev
-lzma.h, xz-dev
 lzo/lzoconf.h, lzo-dev
 magic, file-dev
 magic.h, file-dev

autospec/specfiles.py

@@ -159,8 +159,17 @@ class Specfile(object):
 
         # if package is verified, include the signature in the source tarball
         if self.keyid and self.config.signature:
+            # We'll need gnupg to verify the signature. Need to add it here so it's ready before write_buildreq
+            self.requirements.add_buildreq("gnupg")
+
             count += 1
             self._write_strip(f"Source{count}  : {self.config.signature}")
+            self.config.signature_macro = f"%{{SOURCE{count}}}"
+
+            # Also include the public key in the source tarball.
+            count += 1
+            self._write_strip(f"Source{count}  : {self.keyid}.pkey")
+            self.config.pkey_macro = f"%{{SOURCE{count}}}"
 
         for source in self.config.extra_sources:
             count += 1
@@ -430,6 +439,12 @@ class Specfile(object):
     def write_prep(self):
         """Write prep section to spec file."""
         self._write_strip("%prep")
+        if self.keyid and self.config.signature:
+            self._write_strip("mkdir .gnupg")
+            self._write_strip("chmod 700 .gnupg")
+            self._write_strip(f"gpg --homedir .gnupg --import {self.config.pkey_macro}")
+            self._write_strip(f"gpg --homedir .gnupg --status-fd 1 --verify {self.config.signature_macro} %{{SOURCE0}} > gpg.status")
+            self._write_strip(f"grep '^\\[GNUPG:\\] GOODSIG {self.keyid}' gpg.status")
         self.write_prep_prepend()
         prefix = self.content.prefixes[self.url]
         if self.config.default_pattern == 'R':