--- doc/PKGBUILD-example.txt | 4 ++-- doc/PKGBUILD.5.txt | 31 +++++++++++++++++++------------ doc/makepkg-template.1.txt | 2 +- etc/makepkg.conf.in | 2 +- 4 files changed, 23 insertions(+), 16 deletions(-) diff --git a/doc/PKGBUILD-example.txt b/doc/PKGBUILD-example.txt index 910fd068..d4e1c9c1 100644 --- a/doc/PKGBUILD-example.txt +++ b/doc/PKGBUILD-example.txt @@ -12,8 +12,8 @@ depends=('glibc') makedepends=('ed') optdepends=('ed: for "patch -e" functionality') source=("ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz"{,.sig}) -md5sums=('e9ae5393426d3ad783a300a338c09b72' - 'SKIP') +sha256sums=('9124ba46db0abd873d0995c2ca880e81252676bb6c03e0a37dfc5f608a9b0ceb' + 'SKIP') build() { cd "$srcdir/$pkgname-$pkgver" diff --git a/doc/PKGBUILD.5.txt b/doc/PKGBUILD.5.txt index 18bc2a19..edf469fe 100644 --- a/doc/PKGBUILD.5.txt +++ b/doc/PKGBUILD.5.txt @@ -118,7 +118,7 @@ systems (see below). + Additional architecture-specific sources can be added by appending an underscore and the architecture name e.g., 'source_x86_64=()'. There must be a -corresponding integrity array with checksums, e.g. 'md5sums_x86_64=()'. +corresponding integrity array with checksums, e.g. 'sha256sums_x86_64=()'. + It is also possible to change the name of the downloaded file, which is helpful with weird URLs and for handling multiple source files with the same @@ -146,19 +146,26 @@ contain whitespace characters. listed here will not be extracted with the rest of the source files. This is useful for packages that use compressed data directly. -*md5sums (array)*:: - This array contains an MD5 hash for every source file specified in the - source array (in the same order). makepkg will use this to verify source - file integrity during subsequent builds. If 'SKIP' is put in the array - in place of a normal hash, the integrity check for that source file will - be skipped. To easily generate md5sums, run ``makepkg -g >> PKGBUILD''. - If desired, move the md5sums line to an appropriate location. +*sha256sums (array)*:: + This array contains a SHA256 hash for every source file specified in the + source array (in the same order). makepkg will use this to verify + source file integrity during subsequent builds. If 'SKIP' is put in the + array in place of a normal hash, the integrity check for that source + file will be skipped. To easily generate sha256sums, run ``makepkg -g + >> PKGBUILD''. If desired, move the sha256sums to an appropriate + location. -*sha1sums, sha256sums, sha384sums, sha512sums (arrays)*:: +*sha384sums, sha512sums (arrays)*:: Alternative integrity checks that makepkg supports; these all behave - similar to the md5sums option described above. To enable use and generation - of these checksums, be sure to set up the `INTEGRITY_CHECK` option in - linkman:makepkg.conf[5]. + similar to the sha256sums option described above. To enable use and + generation of these checksums, be sure to set up the `INTEGRITY_CHECK` + option in linkman:makepkg.conf[5]. + +*md5sums, sha1sums (arrays)*:: + Alternative legacy integrity checks that makepkg supports. These are + supported for compatibility, but should not be used in current PKGBUILD + files due to known collision attacks on the algorithms, allowing + malicious files to pose as legitimate ones. *groups (array)*:: An array of symbolic names that represent groups of packages, allowing diff --git a/doc/makepkg-template.1.txt b/doc/makepkg-template.1.txt index 99637d43..53cb4997 100644 --- a/doc/makepkg-template.1.txt +++ b/doc/makepkg-template.1.txt @@ -88,7 +88,7 @@ Example PKGBUILD license=('PerlArtistic' 'GPL') depends=('perl') source=("http://search.cpan.org/CPAN/authors/id/S/SH/SHERZODR/Config-Simple-${pkgver}.tar.gz") - md5sums=('f014aec54f0a1e2e880d317180fce502') + sha256sums=('dd9995706f0f9384a15ccffe116c3b6e22f42ba2e58d8f24ed03c4a0e386edb4') _distname="Config-Simple" # template start; name=perl-module; version=1.0; diff --git a/etc/makepkg.conf.in b/etc/makepkg.conf.in index 71293970..24b83d18 100644 --- a/etc/makepkg.conf.in +++ b/etc/makepkg.conf.in @@ -86,7 +86,7 @@ BUILDENV=(!distcc color !ccache check !sign) OPTIONS=(strip docs libtool staticlibs emptydirs zipman purge !debug) #-- File integrity checks to use. Valid: md5, sha1, sha256, sha384, sha512 -INTEGRITY_CHECK=(md5) +INTEGRITY_CHECK=(sha256) #-- Options to be used when stripping binaries. See `man strip' for details. STRIP_BINARIES="@STRIP_BINARIES@" #-- Options to be used when stripping shared libraries. See `man strip' for details. -- 2.11.1