[pacman-dev] [PATCH] makepkg: check all integrity sums found in the PKGBUILD
Currently we use the INTEGRITY_CHECK array from makepkg.conf to limit both the integrity sums generated and checked. It doesn't make a whole lot of sense to ignore integrity sums that are present in a PKGBUILD, so this patch will enable checking any that are available, but will only print a warning about missing sums for those types found in INTEGRITY_CHECK. It also adds a slight optimization of checking for openssl- we only need to check once now because we use the same program for all checks. Signed-off-by: Dan McGee <dan@archlinux.org> --- scripts/makepkg.sh.in | 38 ++++++++++++++++++-------------------- 1 files changed, 18 insertions(+), 20 deletions(-) diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index d641cbb..f6136ba 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -463,6 +463,11 @@ generate_checksums() { msg "$(gettext "Generating checksums for source files...")" plain "" + if [ ! $(type -p openssl) ]; then + error "$(gettext "Cannot find openssl.")" + exit 1 # $E_MISSING_PROGRAM + fi + local integ for integ in ${INTEGRITY_CHECK[@]}; do integ="$(echo $integ | tr '[:upper:]' '[:lower:]')" @@ -473,11 +478,6 @@ generate_checksums() { exit 1;; # $E_CONFIG_ERROR esac - if [ ! $(type -p openssl) ]; then - error "$(gettext "Cannot find openssl.")" - exit 1 # $E_MISSING_PROGRAM - fi - local ct=0 local numsrc=${#source[@]} echo -n "${integ}sums=(" @@ -515,21 +515,13 @@ generate_checksums() { } check_checksums() { - local integ - for integ in ${INTEGRITY_CHECK[@]}; do - integ="$(echo $integ | tr '[:upper:]' '[:lower:]')" - case "$integ" in - md5|sha1|sha256|sha384|sha512) : ;; - *) - error "$(gettext "Invalid integrity algorithm '%s' specified")" "$integ" - exit 1;; # $E_CONFIG_ERROR - esac - - if [ ! $(type -p openssl) ]; then - error "$(gettext "Cannot find openssl.")" - exit 1 # $E_MISSING_PROGRAM - fi + if [ ! $(type -p openssl) ]; then + error "$(gettext "Cannot find openssl.")" + exit 1 # $E_MISSING_PROGRAM + fi + local integ required + for integ in md5 sha1 sha256 sha384 sha512; do local integrity_sums=($(eval echo "\${${integ}sums[@]}")) if [ ${#integrity_sums[@]} -eq ${#source[@]} ]; then msg "$(gettext "Validating source files with %s...")" "${integ}sums" @@ -567,7 +559,13 @@ check_checksums() { exit 1 # TODO: error code fi else - warning "$(gettext "Integrity checks (%s) are missing or incomplete.")" "$integ" + for required in ${INTEGRITY_CHECK[@]}; do + required="$(echo $required | tr '[:upper:]' '[:lower:]')" + if [ "$integ" = "$required" ]; then + warning "$(gettext "Integrity checks (%s) are missing or incomplete.")" "$integ" + break + fi + done fi done } -- 1.6.0
On Sat, Aug 23, 2008 at 5:21 PM, Dan McGee <dan@archlinux.org> wrote:
Currently we use the INTEGRITY_CHECK array from makepkg.conf to limit both the integrity sums generated and checked. It doesn't make a whole lot of sense to ignore integrity sums that are present in a PKGBUILD, so this patch will enable checking any that are available, but will only print a warning about missing sums for those types found in INTEGRITY_CHECK.
It also adds a slight optimization of checking for openssl- we only need to check once now because we use the same program for all checks.
Sounds good to me. I think the warning about missing sums could be even printed in any cases, but I understand the point of view that you only care about the ones specified in INTEGRITY_CHECK so it seems good (and closer to the old behavior).
On Sat, Aug 23, 2008 at 12:55 PM, Xavier <shiningxc@gmail.com> wrote:
On Sat, Aug 23, 2008 at 5:21 PM, Dan McGee <dan@archlinux.org> wrote:
Currently we use the INTEGRITY_CHECK array from makepkg.conf to limit both the integrity sums generated and checked. It doesn't make a whole lot of sense to ignore integrity sums that are present in a PKGBUILD, so this patch will enable checking any that are available, but will only print a warning about missing sums for those types found in INTEGRITY_CHECK.
It also adds a slight optimization of checking for openssl- we only need to check once now because we use the same program for all checks.
Sounds good to me. I think the warning about missing sums could be even printed in any cases, but I understand the point of view that you only care about the ones specified in INTEGRITY_CHECK so it seems good (and closer to the old behavior).
I figured 6 warnings, and especially the one about missing sha384 sums, would piss off a few too many people, so I decided to add this little check in. :) -Dan
On Sat, Aug 23, 2008 at 7:58 PM, Dan McGee <dpmcgee@gmail.com> wrote:
I figured 6 warnings, and especially the one about missing sha384 sums, would piss off a few too many people, so I decided to add this little check in. :)
Oops, I misunderstood the code. I thought the warning happened only when sha384 sums were defined, but incomplete. I just realized the warning would be there even if sha384 array was not defined at all. So indeed, in this case that little check is very welcome.
participants (3)
-
Dan McGee
-
Dan McGee
-
Xavier