[pacman-dev] [PATCH] makepkg: --source should download repos with PGP signatures
We optimize this out for sourceballs since VCS sources don't get their checksums verified. But this logic is broken ever since we implemented PGP signature checking for git sources -- if the git source is signed, we still check it, but we don't make sure to download it first. makepkg then fails to generate a sourceball unless you previously ran --verifysource or attempted to build. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> --- scripts/libmakepkg/source.sh.in | 5 ++++- scripts/libmakepkg/source/git.sh.in | 9 ++++++--- scripts/makepkg.sh.in | 2 +- 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/scripts/libmakepkg/source.sh.in b/scripts/libmakepkg/source.sh.in index a0c6b662..b95e6be8 100644 --- a/scripts/libmakepkg/source.sh.in +++ b/scripts/libmakepkg/source.sh.in @@ -35,7 +35,7 @@ done download_sources() { local netfile all_sources - local get_source_fn=get_all_sources_for_arch get_vcs=1 + local get_source_fn=get_all_sources_for_arch get_vcs=1 get_pgp=0 msg "$(gettext "Retrieving sources...")" @@ -47,6 +47,9 @@ download_sources() { novcs) get_vcs=0 ;; + getpgp) + (( SKIPPGPCHECK )) || get_pgp=1 + ;; *) break ;; diff --git a/scripts/libmakepkg/source/git.sh.in b/scripts/libmakepkg/source/git.sh.in index 7d191b8d..d090f14e 100644 --- a/scripts/libmakepkg/source/git.sh.in +++ b/scripts/libmakepkg/source/git.sh.in @@ -29,13 +29,16 @@ source "$LIBRARY/util/pkgbuild.sh" download_git() { + local netfile=$1 + local query=$(get_uri_query "$netfile") + # abort early if parent says not to fetch if declare -p get_vcs > /dev/null 2>&1; then - (( get_vcs )) || return + if (( ! get_pgp )) || [[ $query != signed ]]; then + (( get_vcs )) || return + fi fi - local netfile=$1 - local dir=$(get_filepath "$netfile") [[ -z "$dir" ]] && dir="$SRCDEST/$(get_filename "$netfile")" diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 7e8d6805..c9940f0a 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -1416,7 +1416,7 @@ if (( SOURCEONLY )); then download_sources allarch elif ( (( ! SKIPCHECKSUMS )) || \ ( (( ! SKIPPGPCHECK )) && source_has_signatures ) ); then - download_sources allarch novcs + download_sources allarch novcs getpgp fi check_source_integrity all cd_safe "$startdir" -- 2.28.0
On 11/8/20 11:32 am, Eli Schwartz wrote:
We optimize this out for sourceballs since VCS sources don't get their checksums verified. But this logic is broken ever since we implemented PGP signature checking for git sources -- if the git source is signed, we still check it, but we don't make sure to download it first. makepkg then fails to generate a sourceball unless you previously ran --verifysource or attempted to build.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
I am not a fan of this - the whole source download logic becomes a bit piecemeal. I think we either need to: 1) Not download the source for source packages (unless --allsource is used), or 2) Download all sources when making source packages. Allan
--- scripts/libmakepkg/source.sh.in | 5 ++++- scripts/libmakepkg/source/git.sh.in | 9 ++++++--- scripts/makepkg.sh.in | 2 +- 3 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/scripts/libmakepkg/source.sh.in b/scripts/libmakepkg/source.sh.in index a0c6b662..b95e6be8 100644 --- a/scripts/libmakepkg/source.sh.in +++ b/scripts/libmakepkg/source.sh.in @@ -35,7 +35,7 @@ done
download_sources() { local netfile all_sources - local get_source_fn=get_all_sources_for_arch get_vcs=1 + local get_source_fn=get_all_sources_for_arch get_vcs=1 get_pgp=0
msg "$(gettext "Retrieving sources...")"
@@ -47,6 +47,9 @@ download_sources() { novcs) get_vcs=0 ;; + getpgp) + (( SKIPPGPCHECK )) || get_pgp=1 + ;; *) break ;; diff --git a/scripts/libmakepkg/source/git.sh.in b/scripts/libmakepkg/source/git.sh.in index 7d191b8d..d090f14e 100644 --- a/scripts/libmakepkg/source/git.sh.in +++ b/scripts/libmakepkg/source/git.sh.in @@ -29,13 +29,16 @@ source "$LIBRARY/util/pkgbuild.sh"
download_git() { + local netfile=$1 + local query=$(get_uri_query "$netfile") + # abort early if parent says not to fetch if declare -p get_vcs > /dev/null 2>&1; then - (( get_vcs )) || return + if (( ! get_pgp )) || [[ $query != signed ]]; then + (( get_vcs )) || return + fi fi
- local netfile=$1 - local dir=$(get_filepath "$netfile") [[ -z "$dir" ]] && dir="$SRCDEST/$(get_filename "$netfile")"
diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 7e8d6805..c9940f0a 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -1416,7 +1416,7 @@ if (( SOURCEONLY )); then download_sources allarch elif ( (( ! SKIPCHECKSUMS )) || \ ( (( ! SKIPPGPCHECK )) && source_has_signatures ) ); then - download_sources allarch novcs + download_sources allarch novcs getpgp fi check_source_integrity all cd_safe "$startdir"
participants (2)
-
Allan McRae
-
Eli Schwartz