[pacman-dev] [PATCH] libmakepkg: add routine for linting $SOURCE_DATE_EPOCH
This can only ever be an int, and the specification states that a malformed timestamp should be considered a fatal error. https://reproducible-builds.org/specs/source-date-epoch/ Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> --- scripts/Makefile.am | 1 + .../lint_config/source_date_epoch.sh.in | 37 +++++++++++++++++++ 2 files changed, 38 insertions(+) create mode 100755 scripts/libmakepkg/lint_config/source_date_epoch.sh.in diff --git a/scripts/Makefile.am b/scripts/Makefile.am index 54a8d215..255aee2b 100644 --- a/scripts/Makefile.am +++ b/scripts/Makefile.am @@ -71,6 +71,7 @@ LIBMAKEPKG_IN = \ libmakepkg/integrity/verify_signature.sh \ libmakepkg/lint_config.sh \ libmakepkg/lint_config/paths.sh \ + libmakepkg/lint_config/source_date_epoch.sh \ libmakepkg/lint_config/variable.sh \ libmakepkg/lint_package.sh \ libmakepkg/lint_package/build_references.sh \ diff --git a/scripts/libmakepkg/lint_config/source_date_epoch.sh.in b/scripts/libmakepkg/lint_config/source_date_epoch.sh.in new file mode 100755 index 00000000..38fbfd77 --- /dev/null +++ b/scripts/libmakepkg/lint_config/source_date_epoch.sh.in @@ -0,0 +1,37 @@ +#!/bin/bash +# +# source_date_epoch.sh - Check that reproducible builds timestamp is valid +# +# Copyright (c) 2018 Pacman Development Team <pacman-dev@archlinux.org> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +[[ -n $LIBMAKEPKG_LINT_CONFIG_SOURCE_DATE_EPOCH_SH ]] && return +LIBMAKEPKG_LINT_CONFIG_SOURCE_DATE_EPOCH_SH=1 + +LIBRARY=${LIBRARY:-'@libmakepkgdir@'} + +source "$LIBRARY/util/message.sh" + +lint_config_functions+=('lint_source_date_epoch') + + +lint_source_date_epoch() { + if [[ $SOURCE_DATE_EPOCH = *[^[:digit:]]* ]]; then + error "$(gettext "%s contains invalid characters: %s")" \ + "\$SOURCE_DATE_EPOCH" "${SOURCE_DATE_EPOCH//[[:digit:]]}" + return 1 + fi +} -- 2.20.1
Use mapfile instead of hacking around read -a with the $IFS. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> --- scripts/libmakepkg/executable/checksum.sh.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/libmakepkg/executable/checksum.sh.in b/scripts/libmakepkg/executable/checksum.sh.in index 9783d4ee..0a4b0c9e 100644 --- a/scripts/libmakepkg/executable/checksum.sh.in +++ b/scripts/libmakepkg/executable/checksum.sh.in @@ -29,7 +29,7 @@ executable_functions+=('executable_checksum') executable_checksum() { if (( GENINTEG || ! SKIPCHECKSUMS )); then local integlist - IFS=$'\n' read -rd '' -a integlist < <(get_integlist) + mapfile -t integlist < <(get_integlist) local integ for integ in "${integlist[@]}"; do -- 2.20.1
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> --- doc/makepkg.8.asciidoc | 2 +- scripts/libmakepkg/integrity/generate_signature.sh.in | 6 +++++- scripts/makepkg.sh.in | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/doc/makepkg.8.asciidoc b/doc/makepkg.8.asciidoc index ec35ab04..dcd597c8 100644 --- a/doc/makepkg.8.asciidoc +++ b/doc/makepkg.8.asciidoc @@ -343,7 +343,7 @@ On exit, makepkg will return one of the following error codes. Programs necessary to run makepkg are missing. 16:: - Specified GPG key does not exist. + Specified GPG key does not exist or failed to sign package. See Also -------- diff --git a/scripts/libmakepkg/integrity/generate_signature.sh.in b/scripts/libmakepkg/integrity/generate_signature.sh.in index 1567ee89..786ca081 100644 --- a/scripts/libmakepkg/integrity/generate_signature.sh.in +++ b/scripts/libmakepkg/integrity/generate_signature.sh.in @@ -47,6 +47,8 @@ create_signature() { } create_package_signatures() { + local ret=0 + if [[ $SIGNPKG != 'y' ]]; then return 0 fi @@ -55,7 +57,9 @@ create_package_signatures() { print_all_package_names | while read -r pkg_file; do if [[ -f $pkg_file ]]; then - create_signature "$pkg_file" + create_signature "$pkg_file" || ret=$? fi done + + return $ret } diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 66729584..fcc76e7f 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -1493,7 +1493,7 @@ else enter_fakeroot - create_package_signatures + create_package_signatures || exit $E_PRETTY_BAD_PRIVACY fi # if inhibiting archive creation, go no further -- 2.20.1
On 10/1/19 3:58 pm, Eli Schwartz wrote:
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> ---
This patch is on top of something that is not accepted yet so does not apply. A
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> --- v2: apply patch on top of master, not another pending patch doc/makepkg.8.asciidoc | 2 +- scripts/libmakepkg/integrity/generate_signature.sh.in | 8 ++++++-- scripts/makepkg.sh.in | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/doc/makepkg.8.asciidoc b/doc/makepkg.8.asciidoc index b15e3a67..544659fc 100644 --- a/doc/makepkg.8.asciidoc +++ b/doc/makepkg.8.asciidoc @@ -340,7 +340,7 @@ On exit, makepkg will return one of the following error codes. Programs necessary to run makepkg are missing. 16:: - Specified GPG key does not exist. + Specified GPG key does not exist or failed to sign package. See Also -------- diff --git a/scripts/libmakepkg/integrity/generate_signature.sh.in b/scripts/libmakepkg/integrity/generate_signature.sh.in index e6ff3b1b..b6138824 100644 --- a/scripts/libmakepkg/integrity/generate_signature.sh.in +++ b/scripts/libmakepkg/integrity/generate_signature.sh.in @@ -47,6 +47,8 @@ create_signature() { } create_package_signatures() { + local ret=0 + if [[ $SIGNPKG != 'y' ]]; then return 0 fi @@ -59,7 +61,7 @@ create_package_signatures() { pkgarch=$(get_pkg_arch $pkg) pkg_file="$PKGDEST/${pkg}-${fullver}-${pkgarch}${PKGEXT}" - create_signature "$pkg_file" + create_signature "$pkg_file" || ret=$? done # check if debug package needs a signature @@ -68,7 +70,9 @@ create_package_signatures() { pkgarch=$(get_pkg_arch) pkg_file="$PKGDEST/${pkg}-${fullver}-${pkgarch}${PKGEXT}" if [[ -f $pkg_file ]]; then - create_signature "$pkg_file" + create_signature "$pkg_file" || ret=$? fi fi + + return $ret } diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 4f096a36..351f120e 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -1480,7 +1480,7 @@ else enter_fakeroot - create_package_signatures + create_package_signatures || exit $E_PRETTY_BAD_PRIVACY fi # if inhibiting archive creation, go no further -- 2.21.0
This is not really an error with a "user function". Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> --- scripts/makepkg.sh.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 72c953c9..64a62236 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -1223,7 +1223,7 @@ unset "${!sha384sums_@}" "${!sha512sums_@}" BUILDFILE=${BUILDFILE:-$BUILDSCRIPT} if [[ ! -f $BUILDFILE ]]; then error "$(gettext "%s does not exist.")" "$BUILDFILE" - exit $E_USER_FUNCTION_FAILED + exit $E_PKGBUILD_ERROR else if [[ $(<"$BUILDFILE") = *$'\r'* ]]; then -- 2.20.1
On 10/1/19 3:58 pm, Eli Schwartz wrote:
This can only ever be an int, and the specification states that a malformed timestamp should be considered a fatal error.
https://reproducible-builds.org/specs/source-date-epoch/ Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> --- scripts/Makefile.am | 1 + .../lint_config/source_date_epoch.sh.in | 37 +++++++++++++++++++ 2 files changed, 38 insertions(+) create mode 100755 scripts/libmakepkg/lint_config/source_date_epoch.sh.in
Pulled to my patchqueue with the needed meson addition. A
participants (2)
-
Allan McRae
-
Eli Schwartz