[pacman-dev] [PATCH] makepkg: --source should download repos with PGP signatures
Eli Schwartz
eschwartz at archlinux.org
Tue Aug 11 01:32:25 UTC 2020
We optimize this out for sourceballs since VCS sources don't get their
checksums verified. But this logic is broken ever since we implemented
PGP signature checking for git sources -- if the git source is signed,
we still check it, but we don't make sure to download it first. makepkg
then fails to generate a sourceball unless you previously ran
--verifysource or attempted to build.
Signed-off-by: Eli Schwartz <eschwartz at archlinux.org>
---
scripts/libmakepkg/source.sh.in | 5 ++++-
scripts/libmakepkg/source/git.sh.in | 9 ++++++---
scripts/makepkg.sh.in | 2 +-
3 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/scripts/libmakepkg/source.sh.in b/scripts/libmakepkg/source.sh.in
index a0c6b662..b95e6be8 100644
--- a/scripts/libmakepkg/source.sh.in
+++ b/scripts/libmakepkg/source.sh.in
@@ -35,7 +35,7 @@ done
download_sources() {
local netfile all_sources
- local get_source_fn=get_all_sources_for_arch get_vcs=1
+ local get_source_fn=get_all_sources_for_arch get_vcs=1 get_pgp=0
msg "$(gettext "Retrieving sources...")"
@@ -47,6 +47,9 @@ download_sources() {
novcs)
get_vcs=0
;;
+ getpgp)
+ (( SKIPPGPCHECK )) || get_pgp=1
+ ;;
*)
break
;;
diff --git a/scripts/libmakepkg/source/git.sh.in b/scripts/libmakepkg/source/git.sh.in
index 7d191b8d..d090f14e 100644
--- a/scripts/libmakepkg/source/git.sh.in
+++ b/scripts/libmakepkg/source/git.sh.in
@@ -29,13 +29,16 @@ source "$LIBRARY/util/pkgbuild.sh"
download_git() {
+ local netfile=$1
+ local query=$(get_uri_query "$netfile")
+
# abort early if parent says not to fetch
if declare -p get_vcs > /dev/null 2>&1; then
- (( get_vcs )) || return
+ if (( ! get_pgp )) || [[ $query != signed ]]; then
+ (( get_vcs )) || return
+ fi
fi
- local netfile=$1
-
local dir=$(get_filepath "$netfile")
[[ -z "$dir" ]] && dir="$SRCDEST/$(get_filename "$netfile")"
diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
index 7e8d6805..c9940f0a 100644
--- a/scripts/makepkg.sh.in
+++ b/scripts/makepkg.sh.in
@@ -1416,7 +1416,7 @@ if (( SOURCEONLY )); then
download_sources allarch
elif ( (( ! SKIPCHECKSUMS )) || \
( (( ! SKIPPGPCHECK )) && source_has_signatures ) ); then
- download_sources allarch novcs
+ download_sources allarch novcs getpgp
fi
check_source_integrity all
cd_safe "$startdir"
--
2.28.0
More information about the pacman-dev
mailing list