add source file verification

python-cryptography.spec

@@ -20,15 +20,22 @@
 
 Name:           python-%{srcname}
 Version:        2.9
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        PyCA's cryptography library
 
 License:        ASL 2.0 or BSD
 URL:            https://cryptography.io/en/latest/
-Source0:        https://pypi.io/packages/source/c/%{srcname}/%{srcname}-%{version}.tar.gz
+Source0:        %{pypi_source}
+Source1:        %{pypi_source}.asc
+# key ids of upstream authors are published in the AUTHORS file:
+#    https://github.com/pyca/cryptography/blob/master/AUTHORS.rst
+# gpg2 --recv-keys "05FD 9FA1 6CF7 5735 0D91 A560 235A E5F1 29F9 ED98"
+# gpg2 --export --export-options export-minimal "05FD 9FA1 6CF7 5735 0D91 A560 235A E5F1 29F9 ED98" > gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg
+Source2:        gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg
 
 BuildRequires:  openssl-devel
 BuildRequires:  gcc
+BuildRequires:  gnupg2
 
 %if 0%{?with_python2}
 BuildRequires:  python2-cffi >= 1.7
@@ -108,6 +115,7 @@ recipes to Python developers.
 %endif
 
 %prep
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %autosetup -p1 -n %{srcname}-%{version}
 
 %build
@@ -162,6 +170,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_
 
 
 %changelog
+* Tue May 12 2020 Felix Schwarz <fschwarz@fedoraproject.org> - 2.9-2
+- add source file verification
+
 * Fri Apr 03 2020 Christian Heimes <cheimes@redhat.com> - 2.9-1
 - Update to 2.9 (#1820348)