[pacman-dev] [PATCH] libmakepkg/integrity: fix regression that broke --install
Allan McRae
allan at archlinux.org
Wed Mar 14 05:34:56 UTC 2018
On 06/03/18 01:36, Eli Schwartz wrote:
> In commit c6b04c04653ba9933fe978829148312e412a9ea7 package signing was
> moved out of fakeroot, and as part of this process, the global pkgname
> variable was modified in order to extract the built package names.
>
> However, if a debug package was not available and added to the list of
> packages, the function was aborted early, before the pkgname array was
> restored, thereby corrupting the later stages of makepkg and
> specifically the install_package function which needs to know which
> pkgnames to install.
>
> Fix this by inlining the debug package signing inside the `if` check,
> and as added security switch to using `for pkg in "${pkgname[@]}"` as is
> done in many other parts of makepkg, since package signing does not
> depend on the value of pkgname for anything.
>
> Signed-off-by: Eli Schwartz <eschwartz at archlinux.org>
> ---
> .../libmakepkg/integrity/generate_signature.sh.in | 20 ++++++++------------
> 1 file changed, 8 insertions(+), 12 deletions(-)
>
> diff --git a/scripts/libmakepkg/integrity/generate_signature.sh.in b/scripts/libmakepkg/integrity/generate_signature.sh.in
> index 8bb69984..c8b938ab 100644
> --- a/scripts/libmakepkg/integrity/generate_signature.sh.in
> +++ b/scripts/libmakepkg/integrity/generate_signature.sh.in
> @@ -50,28 +50,24 @@ create_package_signatures() {
> if [[ $SIGNPKG != 'y' ]]; then
> return 0
> fi
> - local pkgarch pkg_file
> + local pkg pkgarch pkg_file
> local pkgname_backup=("${pkgname[@]}")
This variable is no longer needed.
> local fullver=$(get_full_version)
>
> msg "$(gettext "Signing package(s)...")"
>
> - for pkgname in ${pkgname_backup[@]}; do
> - pkgarch=$(get_pkg_arch $pkgname)
> - pkg_file="$PKGDEST/${pkgname}-${fullver}-${pkgarch}${PKGEXT}"
> + for pkg in "${pkgname[@]}"; do
> + pkgarch=$(get_pkg_arch $pkg)
> + pkg_file="$PKGDEST/${pkg}-${fullver}-${pkgarch}${PKGEXT}"
>
> create_signature "$pkg_file"
> done
>
> # check if debug package needs a signature
> if ! check_option "debug" "y" || ! check_option "strip" "y"; then
> - return
> + pkg=$pkgbase- at DEBUGSUFFIX@
> + pkgarch=$(get_pkg_arch)
> + pkg_file="$PKGDEST/${pkg}-${fullver}-${pkgarch}${PKGEXT}"
We should check this file exists. The create_signature function will
still fail when the package is not there, which can happen if there is
no binaries in the package. (e.g. arch=any packages).
> + create_signature "$pkg_file"
> fi
> -
> - pkgname=$pkgbase- at DEBUGSUFFIX@
> - pkgarch=$(get_pkg_arch)
> - pkg_file="$PKGDEST/${pkgname}-${fullver}-${pkgarch}${PKGEXT}"
> - create_signature "$pkg_file"
> -
> - pkgname=("${pkgname_backup[@]}")
> }
>
More information about the pacman-dev
mailing list