[pacman-dev] [PATCH 1/4] makepkg: sign source packages with --sign
Signed-off-by: Allan McRae <allan@archlinux.org> --- scripts/makepkg.sh.in | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index d8cdc88..d9a14e2 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -2060,10 +2060,16 @@ create_srcpackage() { exit 1 # TODO: error code fi + create_signature "$pkg_file" + if [[ ! "$SRCPKGDEST" -ef "${startdir}" ]]; then rm -f "${pkg_file/$SRCPKGDEST/$startdir}" ln -s "${pkg_file}" "${pkg_file/$SRCPKGDEST/$startdir}" ret=$? + if [[ -f $pkg_file.sig ]]; then + rm -f "${pkg_file/$PKGDEST/$startdir}.sig" + ln -s "$pkg_file.sig" "${pkg_file/$PKGDEST/$startdir}.sig" + fi fi if (( ret )); then -- 1.9.1
Provide pkgbase information for non-split packages with pkgbase set. Also record the version of the "base" package. This is useful for matching package files to source packages. Signed-off-by: Allan McRae <allan@archlinux.org> --- lib/libalpm/be_package.c | 2 ++ scripts/makepkg.sh.in | 24 ++++++++++++++++-------- 2 files changed, 18 insertions(+), 8 deletions(-) diff --git a/lib/libalpm/be_package.c b/lib/libalpm/be_package.c index dc2e072..2275129 100644 --- a/lib/libalpm/be_package.c +++ b/lib/libalpm/be_package.c @@ -196,6 +196,8 @@ static int parse_descfile(alpm_handle_t *handle, struct archive *a, alpm_pkg_t * /* not used atm */ } else if(strcmp(key, "pkgver") == 0) { STRDUP(newpkg->version, ptr, return -1); + } else if(strcmp(key, "basever") == 0) { + /* not used atm */ } else if(strcmp(key, "pkgdesc") == 0) { STRDUP(newpkg->desc, ptr, return -1); } else if(strcmp(key, "group") == 0) { diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index d9a14e2..78941d4 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -1829,9 +1829,18 @@ write_pkginfo() { printf "# Generated by makepkg %s\n" "$makepkg_version" printf "# using %s\n" "$(fakeroot -v)" printf "# %s\n" "$(LC_ALL=C date -u)" + printf "pkgname = %s\n" "$pkgname" - (( SPLITPKG )) && printf "pkgbase = %s\n" "$pkgbase" - printf "pkgver = %s\n" "$(get_full_version)" + if (( SPLITPKG )) || [[ "$pkgbase" != "$pkgname" ]]; then + printf "pkgbase = %s\n" "$pkgbase" + fi + + local fullver=$(get_full_version) + printf "pkgver = %s\n" "$fullver" + if [[ "$fullver" != "$basever" ]]; then + printf "basever = %s\n" "$basever" + fi + printf "pkgdesc = %s\n" "${pkgdesc//+([[:space:]])/ }" printf "url = %s\n" "$url" printf "builddate = %s\n" "$builddate" @@ -1880,7 +1889,6 @@ create_package() { msg "$(gettext "Creating package \"%s\"...")" "$pkgname" pkgarch=$(get_pkg_arch) - write_pkginfo > .PKGINFO local comp_files=('.PKGINFO') @@ -2827,6 +2835,7 @@ fi # set defaults if they weren't specified in buildfile pkgbase=${pkgbase:-${pkgname[0]}} epoch=${epoch:-0} +basever=$(get_full_version) if [[ $BUILDDIR = "$startdir" ]]; then srcdir="$BUILDDIR/src" @@ -2933,12 +2942,11 @@ if (( INFAKEROOT )); then exit 0 # $E_OK fi -fullver=$(get_full_version) -msg "$(gettext "Making package: %s")" "$pkgbase $fullver ($(date))" +msg "$(gettext "Making package: %s")" "$pkgbase $basever ($(date))" # if we are creating a source-only package, go no further if (( SOURCEONLY )); then - if [[ -f $SRCPKGDEST/${pkgbase}-${fullver}${SRCEXT} ]] \ + if [[ -f $SRCPKGDEST/${pkgbase}-${basever}${SRCEXT} ]] \ && (( ! FORCE )); then error "$(gettext "A source package has already been built. (use %s to overwrite)")" "-f" exit 1 @@ -3018,6 +3026,7 @@ elif (( !REPKG )); then extract_sources if (( PKGVERFUNC )); then update_pkgver + basever=$(get_full_version) check_build_status fi if (( PREPAREFUNC )); then @@ -3053,8 +3062,7 @@ if (( NOARCHIVE )); then exit 0 fi -fullver=$(get_full_version) -msg "$(gettext "Finished making: %s")" "$pkgbase $fullver ($(date))" +msg "$(gettext "Finished making: %s")" "$pkgbase $basever ($(date))" install_package -- 1.9.1
--- scripts/repo-add.sh.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/repo-add.sh.in b/scripts/repo-add.sh.in index dd3dba3..4325dbf 100644 --- a/scripts/repo-add.sh.in +++ b/scripts/repo-add.sh.in @@ -264,7 +264,7 @@ db_write_entry() { local pkgfile=$1 local -a _groups _licenses _replaces _depends _conflicts _provides \ _optdepends _makedepends _checkdepends - local pkgname pkgver pkgdesc csize size url arch builddate packager \ + local pkgname pkgbase pkgver pkgdesc csize size url arch builddate packager \ md5sum sha256sum pgpsig pgpsigsize # read info from the zipped package -- 1.9.1
When using the -S/--source option, add source package information to the sync db if one is found alongside the package file. This could be potentially used by a libalpm frontend to build package from source or provide a simple replacement to the Arch Build System. Signed-off-by: Allan McRae <allan@archlinux.org> --- doc/repo-add.8.txt | 4 +++ scripts/repo-add.sh.in | 74 ++++++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 76 insertions(+), 2 deletions(-) diff --git a/doc/repo-add.8.txt b/doc/repo-add.8.txt index d44a8a7..fd7aafb 100644 --- a/doc/repo-add.8.txt +++ b/doc/repo-add.8.txt @@ -82,6 +82,10 @@ repo-add Options Remove old package files from the disk when updating their entry in the database. +*-S, \--source*:: + Add information about source package files to the database if found next to + the package file. + Example ------- diff --git a/scripts/repo-add.sh.in b/scripts/repo-add.sh.in index 4325dbf..b9175e4 100644 --- a/scripts/repo-add.sh.in +++ b/scripts/repo-add.sh.in @@ -30,6 +30,7 @@ declare -r confdir='@sysconfdir@' QUIET=0 DELTA=0 +SOURCE=0 ONLYADDNEW=0 RMEXISTING=0 WITHFILES=0 @@ -61,6 +62,7 @@ Multiple packages to add can be specified on the command line.\n")" printf -- "$(gettext " -n, --new only add packages that are not already in the database\n")" printf -- "$(gettext " -R, --remove remove package file from disk when updating database entry\n")" printf -- "$(gettext " -f, --files update database's file list\n")" + printf -- "$(gettext " -S, --source add source package information to the database\n")" elif [[ $cmd == "repo-remove" ]] ; then printf -- "$(gettext "Usage: repo-remove [options] <path-to-db> <packagename|delta> ...\n")" printf -- "\n" @@ -124,6 +126,31 @@ find_pkgentry() { return 1 } +find_sourcepkg() { + local -a files + + for i in $@; do + if [[ ${i##*.} != "sig" ]]; then + files+=("$i") + fi + done + + case ${#files[@]} in + 0|1) + if [[ ! -f $1 ]]; then + warning "$(gettext "No source package found")" + return 1 + fi + ;; + *) + warning "$(gettext "Cannot determine source package - multiple matches found:")" + msg2 '%s' "$@" + return 1 + ;; + esac + echo "$files" +} + # Get the package name from the delta filename get_delta_pkgname() { local tmp @@ -193,6 +220,37 @@ db_remove_delta() { return 1 } # end db_remove_delta +# write source entry +db_write_source() { + local sourcepkg pgpsigsize pgpsig czise md5sum sha256sum + + sourcepkg=$1 + + if [[ -f "$sourcepkg.sig" ]]; then + pgpsigsize=$(@SIZECMD@ -L "$sourcepkg.sig") + if (( pgpsigsize > 16384 )); then + error "$(gettext "Invalid package signature file '%s'.")" "$sourcepkg.sig" + return 1 + fi + local pgpsig=$(openssl base64 -in "$sourcepkg.sig" | tr -d '\n') + fi + + csize=$(@SIZECMD@ -L "$sourcepkg") + + md5sum=$(openssl dgst -md5 "$sourcepkg") + md5sum=${md5sum##* } + sha256sum=$(openssl dgst -sha256 "$sourcepkg") + sha256sum=${sha256sum##* } + + { + format_entry "FILENAME" "${sourcepkg##*/}" + format_entry "CSIZE" "$csize" + format_entry "MD5SUM" "$md5sum" + format_entry "SHA256SUM" "$sha256sum" + format_entry "PGPSIG" "$pgpsig" + } >"$tmpdir/tree/$pkgname-$pkgver/source" +} + check_gpg() { if ! type -p gpg >/dev/null; then error "$(gettext "Cannot find the gpg binary! Is GnuPG installed?")" @@ -264,8 +322,8 @@ db_write_entry() { local pkgfile=$1 local -a _groups _licenses _replaces _depends _conflicts _provides \ _optdepends _makedepends _checkdepends - local pkgname pkgbase pkgver pkgdesc csize size url arch builddate packager \ - md5sum sha256sum pgpsig pgpsigsize + local pkgname pkgbase pkgver basever pkgdesc csize size url arch builddate \ + packager md5sum sha256sum pgpsig pgpsigsize # read info from the zipped package local line var val @@ -398,6 +456,17 @@ db_write_entry() { bsdtar --exclude='^.*' -tf "$pkgfile" >>"$files_path" fi + # create a source file + if (( SOURCE )); then + msg2 "$(gettext "Creating '%s' db entry...")" 'source' + local sourcefile + + if sourcefile=$(find_sourcepkg \ + "${pkgbase:-$pkgname}-${basever:-$pkgver}.src.tar"*); then + db_write_source "$sourcefile" + fi + fi + # create a delta file if (( DELTA )); then if [[ -n $oldfilename ]]; then @@ -624,6 +693,7 @@ while (( $# )); do -n|--new) ONLYADDNEW=1;; -R|--remove) RMEXISTING=1;; -f|--files) WITHFILES=1;; + -S|--source) SOURCE=1;; --nocolor) USE_COLOR='n';; -s|--sign) check_gpg -- 1.9.1
On 03/27/14 at 05:27pm, Allan McRae wrote:
When using the -S/--source option, add source package information to the sync db if one is found alongside the package file. This could be potentially used by a libalpm frontend to build package from source or provide a simple replacement to the Arch Build System.
Signed-off-by: Allan McRae <allan@archlinux.org> --- doc/repo-add.8.txt | 4 +++ scripts/repo-add.sh.in | 74 ++++++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 76 insertions(+), 2 deletions(-)
I am concerned that adding source package support to db's/front-ends will make things extremely difficult should we ever decide to replace makepkg and the PKGBUILD format, as has been discussed on a couple occasions. If we could specify in the source package itself what should be used to build it, front-ends could behave more intelligently in the event of a transition. Perhaps we could go ahead and add a minimal .SRCINFO with build tool, pkgname, and pkgver information.
diff --git a/doc/repo-add.8.txt b/doc/repo-add.8.txt index d44a8a7..fd7aafb 100644 --- a/doc/repo-add.8.txt +++ b/doc/repo-add.8.txt @@ -82,6 +82,10 @@ repo-add Options Remove old package files from the disk when updating their entry in the database.
+*-S, \--source*:: + Add information about source package files to the database if found next to + the package file. + Example -------
diff --git a/scripts/repo-add.sh.in b/scripts/repo-add.sh.in index 4325dbf..b9175e4 100644 --- a/scripts/repo-add.sh.in +++ b/scripts/repo-add.sh.in @@ -30,6 +30,7 @@ declare -r confdir='@sysconfdir@'
QUIET=0 DELTA=0 +SOURCE=0 ONLYADDNEW=0 RMEXISTING=0 WITHFILES=0 @@ -61,6 +62,7 @@ Multiple packages to add can be specified on the command line.\n")" printf -- "$(gettext " -n, --new only add packages that are not already in the database\n")" printf -- "$(gettext " -R, --remove remove package file from disk when updating database entry\n")" printf -- "$(gettext " -f, --files update database's file list\n")" + printf -- "$(gettext " -S, --source add source package information to the database\n")" elif [[ $cmd == "repo-remove" ]] ; then printf -- "$(gettext "Usage: repo-remove [options] <path-to-db> <packagename|delta> ...\n")" printf -- "\n" @@ -124,6 +126,31 @@ find_pkgentry() { return 1 }
+find_sourcepkg() { + local -a files + + for i in $@; do + if [[ ${i##*.} != "sig" ]]; then + files+=("$i") + fi + done + + case ${#files[@]} in + 0|1) + if [[ ! -f $1 ]]; then
Won't this test the first element in the original, unfiltered, array rather than the file that will actually be echo'd?
+ warning "$(gettext "No source package found")" + return 1 + fi + ;; + *) + warning "$(gettext "Cannot determine source package - multiple matches found:")" + msg2 '%s' "$@" + return 1 + ;; + esac + echo "$files"
Mixed tabs/spaces.
+} + # Get the package name from the delta filename get_delta_pkgname() { local tmp @@ -193,6 +220,37 @@ db_remove_delta() { return 1 } # end db_remove_delta
+# write source entry +db_write_source() { + local sourcepkg pgpsigsize pgpsig czise md5sum sha256sum + + sourcepkg=$1 + + if [[ -f "$sourcepkg.sig" ]]; then + pgpsigsize=$(@SIZECMD@ -L "$sourcepkg.sig") + if (( pgpsigsize > 16384 )); then + error "$(gettext "Invalid package signature file '%s'.")" "$sourcepkg.sig" + return 1 + fi + local pgpsig=$(openssl base64 -in "$sourcepkg.sig" | tr -d '\n') + fi + + csize=$(@SIZECMD@ -L "$sourcepkg") + + md5sum=$(openssl dgst -md5 "$sourcepkg") + md5sum=${md5sum##* } + sha256sum=$(openssl dgst -sha256 "$sourcepkg") + sha256sum=${sha256sum##* } + + { + format_entry "FILENAME" "${sourcepkg##*/}" + format_entry "CSIZE" "$csize" + format_entry "MD5SUM" "$md5sum" + format_entry "SHA256SUM" "$sha256sum" + format_entry "PGPSIG" "$pgpsig" + } >"$tmpdir/tree/$pkgname-$pkgver/source" +} + check_gpg() { if ! type -p gpg >/dev/null; then error "$(gettext "Cannot find the gpg binary! Is GnuPG installed?")" @@ -264,8 +322,8 @@ db_write_entry() { local pkgfile=$1 local -a _groups _licenses _replaces _depends _conflicts _provides \ _optdepends _makedepends _checkdepends - local pkgname pkgbase pkgver pkgdesc csize size url arch builddate packager \ - md5sum sha256sum pgpsig pgpsigsize + local pkgname pkgbase pkgver basever pkgdesc csize size url arch builddate \ + packager md5sum sha256sum pgpsig pgpsigsize
# read info from the zipped package local line var val @@ -398,6 +456,17 @@ db_write_entry() { bsdtar --exclude='^.*' -tf "$pkgfile" >>"$files_path" fi
+ # create a source file + if (( SOURCE )); then + msg2 "$(gettext "Creating '%s' db entry...")" 'source' + local sourcefile + + if sourcefile=$(find_sourcepkg \ + "${pkgbase:-$pkgname}-${basever:-$pkgver}.src.tar"*); then
This ties us to makepkg's current naming scheme for source packages whereas the actual package can have any arbitrary file name. If we add the .SRCINFO file, could we use it to allow source packages to be passed as normal arguments instead of having repo-add go looking for them?
+ db_write_source "$sourcefile" + fi + fi + # create a delta file if (( DELTA )); then if [[ -n $oldfilename ]]; then @@ -624,6 +693,7 @@ while (( $# )); do -n|--new) ONLYADDNEW=1;; -R|--remove) RMEXISTING=1;; -f|--files) WITHFILES=1;; + -S|--source) SOURCE=1;; --nocolor) USE_COLOR='n';; -s|--sign) check_gpg -- 1.9.1
On 29/03/14 02:15, Andrew Gregory wrote:
On 03/27/14 at 05:27pm, Allan McRae wrote:
When using the -S/--source option, add source package information to the sync db if one is found alongside the package file. This could be potentially used by a libalpm frontend to build package from source or provide a simple replacement to the Arch Build System.
Signed-off-by: Allan McRae <allan@archlinux.org> --- doc/repo-add.8.txt | 4 +++ scripts/repo-add.sh.in | 74 ++++++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 76 insertions(+), 2 deletions(-)
I am concerned that adding source package support to db's/front-ends will make things extremely difficult should we ever decide to replace makepkg and the PKGBUILD format, as has been discussed on a couple occasions. If we could specify in the source package itself what should be used to build it, front-ends could behave more intelligently in the event of a transition. Perhaps we could go ahead and add a minimal .SRCINFO with build tool, pkgname, and pkgver information.
I think this change is entirely independent of any future PKGBUILD format change and .SRCINFO file. The .SRCINFO file would be stored inside the source tarball, much like the .PKGINFO file is inside the package tarball. This patch just allows frontends to locate the source tarball for a given package. If a new PKGBUILD format was developed, I expect makepkg to become a wrapper that detects the format and calls the old and new packaging scripts.
diff --git a/doc/repo-add.8.txt b/doc/repo-add.8.txt index d44a8a7..fd7aafb 100644 --- a/doc/repo-add.8.txt +++ b/doc/repo-add.8.txt @@ -82,6 +82,10 @@ repo-add Options Remove old package files from the disk when updating their entry in the database.
+*-S, \--source*:: + Add information about source package files to the database if found next to + the package file. + Example -------
diff --git a/scripts/repo-add.sh.in b/scripts/repo-add.sh.in index 4325dbf..b9175e4 100644 --- a/scripts/repo-add.sh.in +++ b/scripts/repo-add.sh.in @@ -30,6 +30,7 @@ declare -r confdir='@sysconfdir@'
QUIET=0 DELTA=0 +SOURCE=0 ONLYADDNEW=0 RMEXISTING=0 WITHFILES=0 @@ -61,6 +62,7 @@ Multiple packages to add can be specified on the command line.\n")" printf -- "$(gettext " -n, --new only add packages that are not already in the database\n")" printf -- "$(gettext " -R, --remove remove package file from disk when updating database entry\n")" printf -- "$(gettext " -f, --files update database's file list\n")" + printf -- "$(gettext " -S, --source add source package information to the database\n")" elif [[ $cmd == "repo-remove" ]] ; then printf -- "$(gettext "Usage: repo-remove [options] <path-to-db> <packagename|delta> ...\n")" printf -- "\n" @@ -124,6 +126,31 @@ find_pkgentry() { return 1 }
+find_sourcepkg() { + local -a files + + for i in $@; do + if [[ ${i##*.} != "sig" ]]; then + files+=("$i") + fi + done + + case ${#files[@]} in + 0|1) + if [[ ! -f $1 ]]; then
Won't this test the first element in the original, unfiltered, array rather than the file that will actually be echo'd?
Good catch! Missed updating that when I filtered out the signature files.
+ warning "$(gettext "No source package found")" + return 1 + fi + ;; + *) + warning "$(gettext "Cannot determine source package - multiple matches found:")" + msg2 '%s' "$@" + return 1 + ;; + esac + echo "$files"
Mixed tabs/spaces.
Fixed.
+} + # Get the package name from the delta filename get_delta_pkgname() { local tmp @@ -193,6 +220,37 @@ db_remove_delta() { return 1 } # end db_remove_delta
+# write source entry +db_write_source() { + local sourcepkg pgpsigsize pgpsig czise md5sum sha256sum + + sourcepkg=$1 + + if [[ -f "$sourcepkg.sig" ]]; then + pgpsigsize=$(@SIZECMD@ -L "$sourcepkg.sig") + if (( pgpsigsize > 16384 )); then + error "$(gettext "Invalid package signature file '%s'.")" "$sourcepkg.sig" + return 1 + fi + local pgpsig=$(openssl base64 -in "$sourcepkg.sig" | tr -d '\n') + fi + + csize=$(@SIZECMD@ -L "$sourcepkg") + + md5sum=$(openssl dgst -md5 "$sourcepkg") + md5sum=${md5sum##* } + sha256sum=$(openssl dgst -sha256 "$sourcepkg") + sha256sum=${sha256sum##* } + + { + format_entry "FILENAME" "${sourcepkg##*/}" + format_entry "CSIZE" "$csize" + format_entry "MD5SUM" "$md5sum" + format_entry "SHA256SUM" "$sha256sum" + format_entry "PGPSIG" "$pgpsig" + } >"$tmpdir/tree/$pkgname-$pkgver/source" +} + check_gpg() { if ! type -p gpg >/dev/null; then error "$(gettext "Cannot find the gpg binary! Is GnuPG installed?")" @@ -264,8 +322,8 @@ db_write_entry() { local pkgfile=$1 local -a _groups _licenses _replaces _depends _conflicts _provides \ _optdepends _makedepends _checkdepends - local pkgname pkgbase pkgver pkgdesc csize size url arch builddate packager \ - md5sum sha256sum pgpsig pgpsigsize + local pkgname pkgbase pkgver basever pkgdesc csize size url arch builddate \ + packager md5sum sha256sum pgpsig pgpsigsize
# read info from the zipped package local line var val @@ -398,6 +456,17 @@ db_write_entry() { bsdtar --exclude='^.*' -tf "$pkgfile" >>"$files_path" fi
+ # create a source file + if (( SOURCE )); then + msg2 "$(gettext "Creating '%s' db entry...")" 'source' + local sourcefile + + if sourcefile=$(find_sourcepkg \ + "${pkgbase:-$pkgname}-${basever:-$pkgver}.src.tar"*); then
This ties us to makepkg's current naming scheme for source packages whereas the actual package can have any arbitrary file name. If we add the .SRCINFO file, could we use it to allow source packages to be passed as normal arguments instead of having repo-add go looking for them?
I'd expect the .SRCINFO file to be put inside the source tarball and so the file name would stay the same.
+ db_write_source "$sourcefile" + fi + fi + # create a delta file if (( DELTA )); then if [[ -n $oldfilename ]]; then @@ -624,6 +693,7 @@ while (( $# )); do -n|--new) ONLYADDNEW=1;; -R|--remove) RMEXISTING=1;; -f|--files) WITHFILES=1;; + -S|--source) SOURCE=1;; --nocolor) USE_COLOR='n';; -s|--sign) check_gpg -- 1.9.1
participants (2)
-
Allan McRae
-
Andrew Gregory