Extend key ID matching to expired keys

gpg accepts signatures with expired keys as long as the signature was made prior to key expiration. But it also changes the status-fd output format that we grep for the expected key ID. Make sure we look for the alternate EXPKEYSIG line in the output in that case to find the key ID.
Add gnupg as a buildreq if we'll need it during build
2026-06-16 02:45:56 +00:00 · 2024-04-12 09:08:10 -07:00 · 2024-04-11 16:10:02 -07:00
1 changed files with 4 additions and 1 deletions
@@ -159,6 +159,9 @@ class Specfile(object):

        # if package is verified, include the signature in the source tarball
        if self.keyid and self.config.signature:
+            # We'll need gnupg to verify the signature. Need to add it here so it's ready before write_buildreq
+            self.requirements.add_buildreq("gnupg")
+
            count += 1
            self._write_strip(f"Source{count}  : {self.config.signature}")
            self.config.signature_macro = f"%{{SOURCE{count}}}"
@@ -441,7 +444,7 @@ class Specfile(object):
            self._write_strip("chmod 700 .gnupg")
            self._write_strip(f"gpg --homedir .gnupg --import {self.config.pkey_macro}")
            self._write_strip(f"gpg --homedir .gnupg --status-fd 1 --verify {self.config.signature_macro} %{{SOURCE0}} > gpg.status")
-            self._write_strip(f"grep '^\\[GNUPG:\\] GOODSIG {self.keyid}' gpg.status")
+            self._write_strip(f"grep -E '^\\[GNUPG:\\] (GOODSIG|EXPKEYSIG) {self.keyid}' gpg.status")
        self.write_prep_prepend()
        prefix = self.content.prefixes[self.url]
        if self.config.default_pattern == 'R':