Many years ago, the GPG signature file was included in the source list¹. A compromise at kernel.org caused the tarballs to move to googlecode.com for a number of releases and the signatures were not provided in an easily downloaded format². When the source location was moved back to kernel.org, the signature file had already been removed from the spec file and was not re-added³. There is an effort underway to make GPG signature verification a requirement when upstream provides signatures⁴. Regardless of whether this becomes a requirement in the packaging guidelines, verification of upstream signatures makes good sense. It also makes the process easier for git package maintainers, who are (or should be ;) doing this manually for each upstream git release. While adding the signatures to the source list, all non-upstream source files were moved to Source10 and above. This should make it easier to add new upstream source files in the future, avoiding the need for tedious (and error-prone) renumbering of existing sources. Remove the unused entry for Patch14 also. ¹ ea3f253 Include gpg signature for tarball in SRPM (2011-08-26) ² c57f383 Update to 1.7.9.1 (2012-02-15) ³ b741f45 Change source URLs, as googlecode doesn't have up-to-date tarballs (2014-06-10) ⁴ https://fedorahosted.org/fpc/ticket/610 https://fedoraproject.org/wiki/PackagingDrafts:GPGSignatures https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/2TBK4LLNRH73QJQSXWFPCQYHGTSJ3C7P/