[pacman-dev] [PATCH] makepkg: --source should download repos with PGP signatures

Allan McRae allan at archlinux.org
Thu Apr 8 00:29:10 UTC 2021 

On 11/8/20 11:32 am, Eli Schwartz wrote:
> We optimize this out for sourceballs since VCS sources don't get their
> checksums verified. But this logic is broken ever since we implemented
> PGP signature checking for git sources -- if the git source is signed,
> we still check it, but we don't make sure to download it first. makepkg
> then fails to generate a sourceball unless you previously ran
> --verifysource or attempted to build.
> 
> Signed-off-by: Eli Schwartz <eschwartz at archlinux.org>


I am not a fan of this - the whole source download logic becomes a bit
piecemeal.

I think we either need to:

1) Not download the source for source packages (unless --allsource is used),

or

2) Download all sources when making source packages.

Allan



> ---
>  scripts/libmakepkg/source.sh.in     | 5 ++++-
>  scripts/libmakepkg/source/git.sh.in | 9 ++++++---
>  scripts/makepkg.sh.in               | 2 +-
>  3 files changed, 11 insertions(+), 5 deletions(-)
> 
> diff --git a/scripts/libmakepkg/source.sh.in b/scripts/libmakepkg/source.sh.in
> index a0c6b662..b95e6be8 100644
> --- a/scripts/libmakepkg/source.sh.in
> +++ b/scripts/libmakepkg/source.sh.in
> @@ -35,7 +35,7 @@ done
>  
>  download_sources() {
>  	local netfile all_sources
> -	local get_source_fn=get_all_sources_for_arch get_vcs=1
> +	local get_source_fn=get_all_sources_for_arch get_vcs=1 get_pgp=0
>  
>  	msg "$(gettext "Retrieving sources...")"
>  
> @@ -47,6 +47,9 @@ download_sources() {
>  			novcs)
>  				get_vcs=0
>  				;;
> +			getpgp)
> +				(( SKIPPGPCHECK )) || get_pgp=1
> +				;;
>  			*)
>  				break
>  				;;
> diff --git a/scripts/libmakepkg/source/git.sh.in b/scripts/libmakepkg/source/git.sh.in
> index 7d191b8d..d090f14e 100644
> --- a/scripts/libmakepkg/source/git.sh.in
> +++ b/scripts/libmakepkg/source/git.sh.in
> @@ -29,13 +29,16 @@ source "$LIBRARY/util/pkgbuild.sh"
>  
>  
>  download_git() {
> +	local netfile=$1
> +	local query=$(get_uri_query "$netfile")
> +
>  	# abort early if parent says not to fetch
>  	if declare -p get_vcs > /dev/null 2>&1; then
> -		(( get_vcs )) || return
> +		if (( ! get_pgp )) || [[ $query != signed ]]; then
> +			(( get_vcs )) || return
> +		fi
>  	fi
>  
> -	local netfile=$1
> -
>  	local dir=$(get_filepath "$netfile")
>  	[[ -z "$dir" ]] && dir="$SRCDEST/$(get_filename "$netfile")"
>  
> diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
> index 7e8d6805..c9940f0a 100644
> --- a/scripts/makepkg.sh.in
> +++ b/scripts/makepkg.sh.in
> @@ -1416,7 +1416,7 @@ if (( SOURCEONLY )); then
>  		download_sources allarch
>  	elif ( (( ! SKIPCHECKSUMS )) || \
>  			( (( ! SKIPPGPCHECK )) && source_has_signatures ) ); then
> -		download_sources allarch novcs
> +		download_sources allarch novcs getpgp
>  	fi
>  	check_source_integrity all
>  	cd_safe "$startdir"
>

More information about the pacman-dev mailing list