[pacman-dev] Setting HOME in build() breaks package signing

brainpower brainpower at mailbox.org
Tue May 5 20:11:40 UTC 2020


a while back I came across a PKGBUILD which changed $HOME in build() as a workaround for a bad installer [1].
For some reason this failed to build with `makepkg --sign`, claiming it could not find my gpg key, see snippet below.
After some time debugging this, I found changing $HOME broke the check for the key
because gpg would look for it's .gnupg dir in the "new" $HOME, not the $HOME makepkg was started with.
I solved this by editing the PKGBUILD to restore $HOME before exiting build().

I had thought changing $HOME was only used in that single case and didn't think much of it,
but today a PKGBUILD [3] posted in a question on aur-general [2] reminded me of this
and it seems this workaround is considered by packagers more commonly than I thought...

This made me wonder:
Is this something makepkg should take care of (e.g.by restoring $HOME after build() or ensuring gpg will use $OLDHOME/.gnupg)
or should such a PKGBUILD be considered broken / invalid?

$ makepkg --sign
==> Making package: broken-home 1-1 (Tue May  5 21:35:57 2020)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
==> Extracting sources...
==> Removing existing $pkgdir/ directory...
==> Starting build()...
==> Entering fakeroot environment...
==> ERROR: The key 06ABC843BA90E65B does not exist in your keyring.

$ gpg --list-key 06ABC843BA90E65B                                                               :(
pub   rsa4096 2019-03-05 [SC]
uid           [ultimate] package signing key <brainpower at mailbox.org>
sub   rsa4096 2019-03-05 [E]


build() {
  export HOME="${srcdir}/tmphome"

package() {

[1]: https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=mongodb-compass-isolated&id=a714f2bb3a564e8b1e1659b999d719cfaf535c24#n48
[2]: https://lists.archlinux.org/pipermail/aur-general/2020-May/035729.html
[3]: https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=intel-opencl-sdk&id=a426e7bc370edea770037b6ed61e22701e8a0397#n38

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20200505/49002a6d/attachment.sig>

More information about the pacman-dev mailing list