[pacman-dev] [PATCH] makepkg: --source should download repos with PGP signatures

Eli Schwartz eschwartz at archlinux.org
Tue Aug 11 01:32:25 UTC 2020


We optimize this out for sourceballs since VCS sources don't get their
checksums verified. But this logic is broken ever since we implemented
PGP signature checking for git sources -- if the git source is signed,
we still check it, but we don't make sure to download it first. makepkg
then fails to generate a sourceball unless you previously ran
--verifysource or attempted to build.

Signed-off-by: Eli Schwartz <eschwartz at archlinux.org>
---
 scripts/libmakepkg/source.sh.in     | 5 ++++-
 scripts/libmakepkg/source/git.sh.in | 9 ++++++---
 scripts/makepkg.sh.in               | 2 +-
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/scripts/libmakepkg/source.sh.in b/scripts/libmakepkg/source.sh.in
index a0c6b662..b95e6be8 100644
--- a/scripts/libmakepkg/source.sh.in
+++ b/scripts/libmakepkg/source.sh.in
@@ -35,7 +35,7 @@ done
 
 download_sources() {
 	local netfile all_sources
-	local get_source_fn=get_all_sources_for_arch get_vcs=1
+	local get_source_fn=get_all_sources_for_arch get_vcs=1 get_pgp=0
 
 	msg "$(gettext "Retrieving sources...")"
 
@@ -47,6 +47,9 @@ download_sources() {
 			novcs)
 				get_vcs=0
 				;;
+			getpgp)
+				(( SKIPPGPCHECK )) || get_pgp=1
+				;;
 			*)
 				break
 				;;
diff --git a/scripts/libmakepkg/source/git.sh.in b/scripts/libmakepkg/source/git.sh.in
index 7d191b8d..d090f14e 100644
--- a/scripts/libmakepkg/source/git.sh.in
+++ b/scripts/libmakepkg/source/git.sh.in
@@ -29,13 +29,16 @@ source "$LIBRARY/util/pkgbuild.sh"
 
 
 download_git() {
+	local netfile=$1
+	local query=$(get_uri_query "$netfile")
+
 	# abort early if parent says not to fetch
 	if declare -p get_vcs > /dev/null 2>&1; then
-		(( get_vcs )) || return
+		if (( ! get_pgp )) || [[ $query != signed ]]; then
+			(( get_vcs )) || return
+		fi
 	fi
 
-	local netfile=$1
-
 	local dir=$(get_filepath "$netfile")
 	[[ -z "$dir" ]] && dir="$SRCDEST/$(get_filename "$netfile")"
 
diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
index 7e8d6805..c9940f0a 100644
--- a/scripts/makepkg.sh.in
+++ b/scripts/makepkg.sh.in
@@ -1416,7 +1416,7 @@ if (( SOURCEONLY )); then
 		download_sources allarch
 	elif ( (( ! SKIPCHECKSUMS )) || \
 			( (( ! SKIPPGPCHECK )) && source_has_signatures ) ); then
-		download_sources allarch novcs
+		download_sources allarch novcs getpgp
 	fi
 	check_source_integrity all
 	cd_safe "$startdir"
-- 
2.28.0


More information about the pacman-dev mailing list