• R/O
  • SSH

GM: Commit

Main GraphicsMagick source repository


Commit MetaInfo

Revisioncbd0ea09bcb1a403a5f6a296d14f05073f2c907d (tree)
Time2022-08-17 00:28:59
AuthorBob Friesenhahn <bfriesen@Grap...>
CommiterBob Friesenhahn

Log Message

Produce both ".asc" and ".bin" GPG signature files when signing distribution files.

Change Summary

Incremental Difference

diff -r 6983b5d4a18f -r cbd0ea09bcb1 ChangeLog
--- a/ChangeLog Mon Aug 15 14:17:25 2022 -0500
+++ b/ChangeLog Tue Aug 16 10:28:59 2022 -0500
@@ -1,3 +1,9 @@
1+2022-08-16 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
2+
3+ * Makefile.am: Some people prefer GPG signature files in ASCII
4+ armored ".asc" format rather than the OpenPGP binary ".bin"
5+ format, so produce both.
6+
17 2022-08-15 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
28
39 * Fix UTF-8 encoding errors in some text and source files. A few
diff -r 6983b5d4a18f -r cbd0ea09bcb1 Makefile.am
--- a/Makefile.am Mon Aug 15 14:17:25 2022 -0500
+++ b/Makefile.am Tue Aug 16 10:28:59 2022 -0500
@@ -387,16 +387,18 @@
387387 #
388388 # The arguments to the script are the original path names of the files to distribute.
389389 SNAPSHOT_DIST_ARCHIVES=$(DIST_ARCHIVES) $(DIST_WINDOWS_SRC_7ZIP) $(DIST_ARCHIVE_SRPM)
390+# FIXME: Can use gpg --enarmor to produce asc files from sig files
390391 snapshot: distcheck
391392 $(MAKE) $(DIST_ARCHIVE_SRPM)
392393 $(MAKE) $(DIST_WINDOWS_SRC_7ZIP)
393394 for file in $(SNAPSHOT_DIST_ARCHIVES) ; do \
394- rm -f $${file}.sig ; \
395+ rm -f $${file}.asc $${file}.sig ; \
395396 $(GPG) --output $${file}.sig --detach-sig $${file} ; \
397+ $(GPG) --output $${file}.asc --enarmor $${file}.sig ; \
396398 sha256sum $${file} > $${file}.sum ; \
397399 done
398400 SRCDIR=$(SRCDIR) $(GRAPHICSMAGICK_SNAPSHOT_COPY) $(SNAPSHOT_DIST_ARCHIVES) \
399- `for f in $(SNAPSHOT_DIST_ARCHIVES) ; do printf "%s.sig " $$f ; done` \
401+ `for f in $(SNAPSHOT_DIST_ARCHIVES) ; do printf "%s.asc %s.sig " $$f $$f ; done` \
400402 $(top_srcdir)/ChangeLog $(top_srcdir)/www/Changelog.html
401403
402404 else
@@ -408,6 +410,7 @@
408410 $(MAKE) $(DIST_WINDOWS_SRC_7ZIP)
409411 for file in $(SNAPSHOT_DIST_ARCHIVES) ; do \
410412 $(GPG) --output $${file}.sig --detach-sig $${file} ; \
413+ $(GPG) --output $${file}.asc --enarmor $${file}.sig ; \
411414 sha256sum $${file} > $${file}.sum ; \
412415 done
413416 $(RM) $(SNAPSHOT_DIRECTORY)/$(PACKAGE_NAME)-*.tar.*
@@ -415,6 +418,7 @@
415418 mv $(SNAPSHOT_DIST_ARCHIVES) $(SNAPSHOT_DIRECTORY)/
416419 for file in $(SNAPSHOT_DIST_ARCHIVES) ; do \
417420 mv $${file}.sig $(SNAPSHOT_DIRECTORY)/ ; \
421+ mv $${file}.asc $(SNAPSHOT_DIRECTORY)/ ; \
418422 done
419423 cp $(top_srcdir)/ChangeLog $(SNAPSHOT_DIRECTORY)/ChangeLog.txt
420424 cp $(top_srcdir)/www/Changelog.html $(SNAPSHOT_DIRECTORY)/ChangeLog.html
@@ -468,7 +472,8 @@
468472 release: distcheck
469473 $(MAKE) $(DIST_WINDOWS_SRC_7ZIP)
470474 for file in $(DIST_ARCHIVES) $(DIST_WINDOWS_SRC_7ZIP) ; do \
471- rm -f $${file}.sig ; \
475+ rm -f $${file}.asc $${file}.sig ; \
472476 $(GPG) --output $${file}.sig --detach-sig $${file} ; \
477+ $(GPG) --output $${file}.asc --enarmor $${file}.sig ; \
473478 sha256sum $${file} > $${file}.sum ; \
474479 done
diff -r 6983b5d4a18f -r cbd0ea09bcb1 Makefile.in
--- a/Makefile.in Mon Aug 15 14:17:25 2022 -0500
+++ b/Makefile.in Tue Aug 16 10:28:59 2022 -0500
@@ -11423,22 +11423,25 @@
1142311423 dist-zstd: distdir
1142411424 tardir=$(distdir) && $(am__tar) | ZSTD_CLEVEL=$${ZSTD_CLEVEL-22} zstd --ultra -c >$(distdir).tar.zst
1142511425 $(am__post_remove_distdir)
11426+# FIXME: Can use gpg --enarmor to produce asc files from sig files
1142611427 @HasGRAPHICSMAGICK_SNAPSHOT_COPY_TRUE@snapshot: distcheck
1142711428 @HasGRAPHICSMAGICK_SNAPSHOT_COPY_TRUE@ $(MAKE) $(DIST_ARCHIVE_SRPM)
1142811429 @HasGRAPHICSMAGICK_SNAPSHOT_COPY_TRUE@ $(MAKE) $(DIST_WINDOWS_SRC_7ZIP)
1142911430 @HasGRAPHICSMAGICK_SNAPSHOT_COPY_TRUE@ for file in $(SNAPSHOT_DIST_ARCHIVES) ; do \
11430-@HasGRAPHICSMAGICK_SNAPSHOT_COPY_TRUE@ rm -f $${file}.sig ; \
11431+@HasGRAPHICSMAGICK_SNAPSHOT_COPY_TRUE@ rm -f $${file}.asc $${file}.sig ; \
1143111432 @HasGRAPHICSMAGICK_SNAPSHOT_COPY_TRUE@ $(GPG) --output $${file}.sig --detach-sig $${file} ; \
11433+@HasGRAPHICSMAGICK_SNAPSHOT_COPY_TRUE@ $(GPG) --output $${file}.asc --enarmor $${file}.sig ; \
1143211434 @HasGRAPHICSMAGICK_SNAPSHOT_COPY_TRUE@ sha256sum $${file} > $${file}.sum ; \
1143311435 @HasGRAPHICSMAGICK_SNAPSHOT_COPY_TRUE@ done
1143411436 @HasGRAPHICSMAGICK_SNAPSHOT_COPY_TRUE@ SRCDIR=$(SRCDIR) $(GRAPHICSMAGICK_SNAPSHOT_COPY) $(SNAPSHOT_DIST_ARCHIVES) \
11435-@HasGRAPHICSMAGICK_SNAPSHOT_COPY_TRUE@ `for f in $(SNAPSHOT_DIST_ARCHIVES) ; do printf "%s.sig " $$f ; done` \
11437+@HasGRAPHICSMAGICK_SNAPSHOT_COPY_TRUE@ `for f in $(SNAPSHOT_DIST_ARCHIVES) ; do printf "%s.asc %s.sig " $$f $$f ; done` \
1143611438 @HasGRAPHICSMAGICK_SNAPSHOT_COPY_TRUE@ $(top_srcdir)/ChangeLog $(top_srcdir)/www/Changelog.html
1143711439 @HasGRAPHICSMAGICK_SNAPSHOT_COPY_FALSE@snapshot: distcheck
1143811440 @HasGRAPHICSMAGICK_SNAPSHOT_COPY_FALSE@ $(MAKE) $(DIST_ARCHIVE_SRPM)
1143911441 @HasGRAPHICSMAGICK_SNAPSHOT_COPY_FALSE@ $(MAKE) $(DIST_WINDOWS_SRC_7ZIP)
1144011442 @HasGRAPHICSMAGICK_SNAPSHOT_COPY_FALSE@ for file in $(SNAPSHOT_DIST_ARCHIVES) ; do \
1144111443 @HasGRAPHICSMAGICK_SNAPSHOT_COPY_FALSE@ $(GPG) --output $${file}.sig --detach-sig $${file} ; \
11444+@HasGRAPHICSMAGICK_SNAPSHOT_COPY_FALSE@ $(GPG) --output $${file}.asc --enarmor $${file}.sig ; \
1144211445 @HasGRAPHICSMAGICK_SNAPSHOT_COPY_FALSE@ sha256sum $${file} > $${file}.sum ; \
1144311446 @HasGRAPHICSMAGICK_SNAPSHOT_COPY_FALSE@ done
1144411447 @HasGRAPHICSMAGICK_SNAPSHOT_COPY_FALSE@ $(RM) $(SNAPSHOT_DIRECTORY)/$(PACKAGE_NAME)-*.tar.*
@@ -11446,6 +11449,7 @@
1144611449 @HasGRAPHICSMAGICK_SNAPSHOT_COPY_FALSE@ mv $(SNAPSHOT_DIST_ARCHIVES) $(SNAPSHOT_DIRECTORY)/
1144711450 @HasGRAPHICSMAGICK_SNAPSHOT_COPY_FALSE@ for file in $(SNAPSHOT_DIST_ARCHIVES) ; do \
1144811451 @HasGRAPHICSMAGICK_SNAPSHOT_COPY_FALSE@ mv $${file}.sig $(SNAPSHOT_DIRECTORY)/ ; \
11452+@HasGRAPHICSMAGICK_SNAPSHOT_COPY_FALSE@ mv $${file}.asc $(SNAPSHOT_DIRECTORY)/ ; \
1144911453 @HasGRAPHICSMAGICK_SNAPSHOT_COPY_FALSE@ done
1145011454 @HasGRAPHICSMAGICK_SNAPSHOT_COPY_FALSE@ cp $(top_srcdir)/ChangeLog $(SNAPSHOT_DIRECTORY)/ChangeLog.txt
1145111455 @HasGRAPHICSMAGICK_SNAPSHOT_COPY_FALSE@ cp $(top_srcdir)/www/Changelog.html $(SNAPSHOT_DIRECTORY)/ChangeLog.html
@@ -11473,8 +11477,9 @@
1147311477 release: distcheck
1147411478 $(MAKE) $(DIST_WINDOWS_SRC_7ZIP)
1147511479 for file in $(DIST_ARCHIVES) $(DIST_WINDOWS_SRC_7ZIP) ; do \
11476- rm -f $${file}.sig ; \
11480+ rm -f $${file}.asc $${file}.sig ; \
1147711481 $(GPG) --output $${file}.sig --detach-sig $${file} ; \
11482+ $(GPG) --output $${file}.asc --enarmor $${file}.sig ; \
1147811483 sha256sum $${file} > $${file}.sum ; \
1147911484 done
1148011485
diff -r 6983b5d4a18f -r cbd0ea09bcb1 www/download.html
--- a/www/download.html Mon Aug 15 14:17:25 2022 -0500
+++ b/www/download.html Tue Aug 16 10:28:59 2022 -0500
@@ -51,18 +51,8 @@
5151 <div class="section" id="download-sites">
5252 <h1><a class="toc-backref" href="#id1">Download Sites</a></h1>
5353 <p>The source distribution of GraphicsMagick as well as pre-compiled
54-binaries may be downloaded from the <a class="reference external" href="http://sourceforge.net/projects/graphicsmagick/files/">SourceForge Download</a> page.
54+binaries may be downloaded from the <a class="reference external" href="https://sourceforge.net/projects/graphicsmagick/files/">SourceForge Download</a> page.
5555 This is also where 'snapshot' distribution archives may be found.</p>
56-<p>Until recently (December, 2021) GraphicsMagick provided its own ftp
57-site for downloads but this has been disabled due to abusive download
58-practices (by using it as the primary download site) and because
59-support for FTP has been removed from popular browsers. This is
60-unfortunate since the same site also provided PNG-related files and a
61-libtiff mirror. The ftp site directory tree continues to exist and
62-will be maintained. If you are an administrator of a high-bandwidth
63-ftp or https mirror site and would like to provide a GraphicsMagick
64-mirror, please contact <a class="reference external" href="mailto:bfriesen&#37;&#52;&#48;graphicsmagick&#46;org">Bob Friesenhahn</a> and we will work something
65-out.</p>
6656 </div>
6757 <div class="section" id="verifying-the-download">
6858 <h1><a class="toc-backref" href="#id2">Verifying The Download</a></h1>
@@ -71,7 +61,9 @@
7161 <p>GraphicsMagick is software which runs on a computer, and if its code
7262 (source or binary code) was subtly modified (perhaps on the download
7363 server, or modified after download), it could do almost anything! Due
74-to this, it is useful to verify the download before you use it.</p>
64+to this, it is useful to verify the download before you use it. This
65+is especially important if you are preparing binaries for others to
66+use.</p>
7567 <p>Distributed packages may be verified (both for integrity and origin)
7668 using GnuPG (gpg). GnuPG is normally provided as a package for your
7769 operating system (often already installed), or may be downloaded from
@@ -89,6 +81,8 @@
8981 <pre class="literal-block">
9082 gpg --recv-keys EBDFDB21B020EE8FD151A88DE301047DE1198975
9183 </pre>
84+<p>however, there are known dangers to your keystore if the keys on the
85+public key server have been spammed.</p>
9286 <p>If extracting the key from the
9387 <a class="reference external" href="http://www.graphicsmagick.org/security.html">http://www.graphicsmagick.org/security.html</a> web page, then copy the
9488 entire block of text including the all of the &quot;BEGIN&quot; and &quot;END&quot; lines
@@ -100,8 +94,10 @@
10094 gpg --import gm-sigs.asc
10195 </pre>
10296 <p>After importing the key, you can easily verify any GraphicsMagick
103-distribution file with an associated &quot;.sig&quot; file (requires downloading
104-two files) by doing this:</p>
97+distribution file with an associated &quot;.sig&quot; (binary OpenPGP format
98+signature) or &quot;.asc&quot; (ASCII armored format signature) file. The
99+distribution file and a signature file must be
100+downloaded. Verification is performed by doing this:</p>
105101 <pre class="literal-block">
106102 gpg --verify GraphicsMagick-1.3.37.tar.xz.sig
107103 </pre>
@@ -129,7 +125,7 @@
129125 <pre class="literal-block">
130126 sha256sum GraphicsMagick-1.3.37.tar.xz
131127 </pre>
132-<p>and this for a SHA-1 checksum:</p>
128+<p>and this for a SHA-1 (legacy) checksum:</p>
133129 <pre class="literal-block">
134130 sha1sum GraphicsMagick-1.3.37.tar.xz
135131 </pre>
diff -r 6983b5d4a18f -r cbd0ea09bcb1 www/download.rst
--- a/www/download.rst Mon Aug 15 14:17:25 2022 -0500
+++ b/www/download.rst Tue Aug 16 10:28:59 2022 -0500
@@ -7,7 +7,7 @@
77 =======================
88
99 .. _Bob Friesenhahn : mailto:bfriesen@graphicsmagick.org
10-.. _SourceForge Download : http://sourceforge.net/projects/graphicsmagick/files/
10+.. _SourceForge Download : https://sourceforge.net/projects/graphicsmagick/files/
1111
1212 .. contents::
1313 :local:
@@ -19,17 +19,6 @@
1919 binaries may be downloaded from the `SourceForge Download`_ page.
2020 This is also where 'snapshot' distribution archives may be found.
2121
22-Until recently (December, 2021) GraphicsMagick provided its own ftp
23-site for downloads but this has been disabled due to abusive download
24-practices (by using it as the primary download site) and because
25-support for FTP has been removed from popular browsers. This is
26-unfortunate since the same site also provided PNG-related files and a
27-libtiff mirror. The ftp site directory tree continues to exist and
28-will be maintained. If you are an administrator of a high-bandwidth
29-ftp or https mirror site and would like to provide a GraphicsMagick
30-mirror, please contact `Bob Friesenhahn`_ and we will work something
31-out.
32-
3322 Verifying The Download
3423 ======================
3524
@@ -39,7 +28,9 @@
3928 GraphicsMagick is software which runs on a computer, and if its code
4029 (source or binary code) was subtly modified (perhaps on the download
4130 server, or modified after download), it could do almost anything! Due
42-to this, it is useful to verify the download before you use it.
31+to this, it is useful to verify the download before you use it. This
32+is especially important if you are preparing binaries for others to
33+use.
4334
4435 Distributed packages may be verified (both for integrity and origin)
4536 using GnuPG (gpg). GnuPG is normally provided as a package for your
@@ -61,6 +52,9 @@
6152
6253 gpg --recv-keys EBDFDB21B020EE8FD151A88DE301047DE1198975
6354
55+however, there are known dangers to your keystore if the keys on the
56+public key server have been spammed.
57+
6458 If extracting the key from the
6559 http://www.graphicsmagick.org/security.html web page, then copy the
6660 entire block of text including the all of the "BEGIN" and "END" lines
@@ -73,8 +67,10 @@
7367 gpg --import gm-sigs.asc
7468
7569 After importing the key, you can easily verify any GraphicsMagick
76-distribution file with an associated ".sig" file (requires downloading
77-two files) by doing this::
70+distribution file with an associated ".sig" (binary OpenPGP format
71+signature) or ".asc" (ASCII armored format signature) file. The
72+distribution file and a signature file must be
73+downloaded. Verification is performed by doing this::
7874
7975 gpg --verify GraphicsMagick-1.3.37.tar.xz.sig
8076
@@ -102,7 +98,7 @@
10298
10399 sha256sum GraphicsMagick-1.3.37.tar.xz
104100
105-and this for a SHA-1 checksum::
101+and this for a SHA-1 (legacy) checksum::
106102
107103 sha1sum GraphicsMagick-1.3.37.tar.xz
108104
Show on old repository browser