This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The official pacman repository". The branch, master has been updated via f53ac85ff6cd2f74f8157f23a5e21650cd17f372 (commit) via 62246b9355867ab83566998303c921af6b1e38ef (commit) via 2403fc97325908043917732b32adf87a2eaff603 (commit) via 74aacf44958e1343b910b3fbdcf753393857f070 (commit) from 2a352dc059f696eeda1e18116e468994c1a38430 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit f53ac85ff6cd2f74f8157f23a5e21650cd17f372 Author: Anatol Pomozov <anatol.pomozov@gmail.com> Date: Fri Jul 31 09:53:15 2020 -0700 Enable sha256/md5 hash verification if detached signatures are used Pacman has multiple ways to verify package content integrity: - gpg signature - sha256 - md5 These verification mechanisms overlap each other. gpg signatures already contain hash value of the package content. So if a package signature is present then pacman ignored the other 2 hash values. This worked well with signtures embedded into pacman database. Recently pacman got an ability to handle detached signatures (*.sig files located next to the package files). If pacman verifies detached signature only then one can replace pkg+sig files with some other content and pacman still processes it as a valid package. To prevent it we need to verify database<->package integrity using hash values stored in the database. This commit fixes FS#67232 The new debug output is: checking package integrity... debug: found cached pkg: /var/cache/pacman/pkg/ruby-2.7.1-2-x86_64.pkg.tar.zst debug: sha256sum: 77baf61c62c5570b3a37cf0c3b16c5d9a97dde6fedd1a3528bf0cc5f96dd5e52 debug: checking sha256sum for /var/cache/pacman/pkg/ruby-2.7.1-2-x86_64.pkg.tar.zst debug: sig data: <from .sig> debug: checking signature for /var/cache/pacman/pkg/ruby-2.7.1-2-x86_64.pkg.tar.zst debug: 1 signatures returned debug: fingerprint: B5971F2C5C10A9A08C60030F786C63F330D7CB92 Signed-off-by: Anatol Pomozov <anatol.pomozov@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org> commit 62246b9355867ab83566998303c921af6b1e38ef Author: Anatol Pomozov <anatol.pomozov@gmail.com> Date: Fri Jul 31 09:54:42 2020 -0700 Fix error during keyring checking With current master version the 'keyring checking' step produces an error: debug: returning error 6 from alpm_pkg_get_sig (../lib/libalpm/package.c: 274) : wrong or NULL argument passed The package signature is still checked later at the integrity verification step though. This commit fixes keyring checking and now the debug log looks like this: debug: found cached pkg: /var/cache/pacman/pkg/ruby-2.7.1-2-x86_64.pkg.tar.zst debug: found detached signature /var/cache/pacman/pkg/ruby-2.7.1-2-x86_64.pkg.tar.zst.sig with size 566 debug: found signature key: 786C63F330D7CB92 debug: looking up key 786C63F330D7CB92 locally debug: key lookup success, key exists Signed-off-by: Anatol Pomozov <anatol.pomozov@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org> commit 2403fc97325908043917732b32adf87a2eaff603 Author: Eli Schwartz <eschwartz@archlinux.org> Date: Wed Aug 5 10:02:10 2020 -0400 repo-add: use more libmakepkg to handle common compression routines Currently the list of supported formats for an archive, is maintained in two places. And repo-add does not actually get updated. :( In the process, remove some of the logical duplication when calling bsdtar/compress_as. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org> commit 74aacf44958e1343b910b3fbdcf753393857f070 Author: Eli Schwartz <eschwartz@archlinux.org> Date: Wed Aug 5 10:02:09 2020 -0400 libmakepkg: extend compress.sh to also permit checking validity get_compression_command() can now be used to do upfront checks for whether a given extension is known to do something successfully. This is useful when writing tools in which an unknown compression type is a fatal error. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org> ----------------------------------------------------------------------- Summary of changes: lib/libalpm/be_package.c | 2 +- lib/libalpm/package.c | 4 +-- scripts/libmakepkg/util/compress.sh.in | 53 +++++++++++++++++++++++++--------- scripts/repo-add.sh.in | 32 ++++++++------------ 4 files changed, 54 insertions(+), 37 deletions(-) hooks/post-receive -- The official pacman repository