[pacman-dev] makepkg: --source should download repos with PGP signatures

Message ID 20200811013225.1457594-1-eschwartz@archlinux.org
State New
Headers show
Series
  • [pacman-dev] makepkg: --source should download repos with PGP signatures
Related show

Commit Message

Eli Schwartz Aug. 11, 2020, 1:32 a.m. UTC
We optimize this out for sourceballs since VCS sources don't get their
checksums verified. But this logic is broken ever since we implemented
PGP signature checking for git sources -- if the git source is signed,
we still check it, but we don't make sure to download it first. makepkg
then fails to generate a sourceball unless you previously ran
--verifysource or attempted to build.

Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
---
 scripts/libmakepkg/source.sh.in     | 5 ++++-
 scripts/libmakepkg/source/git.sh.in | 9 ++++++---
 scripts/makepkg.sh.in               | 2 +-
 3 files changed, 11 insertions(+), 5 deletions(-)

Patch

diff --git a/scripts/libmakepkg/source.sh.in b/scripts/libmakepkg/source.sh.in
index a0c6b662..b95e6be8 100644
--- a/scripts/libmakepkg/source.sh.in
+++ b/scripts/libmakepkg/source.sh.in
@@ -35,7 +35,7 @@  done
 
 download_sources() {
 	local netfile all_sources
-	local get_source_fn=get_all_sources_for_arch get_vcs=1
+	local get_source_fn=get_all_sources_for_arch get_vcs=1 get_pgp=0
 
 	msg "$(gettext "Retrieving sources...")"
 
@@ -47,6 +47,9 @@  download_sources() {
 			novcs)
 				get_vcs=0
 				;;
+			getpgp)
+				(( SKIPPGPCHECK )) || get_pgp=1
+				;;
 			*)
 				break
 				;;
diff --git a/scripts/libmakepkg/source/git.sh.in b/scripts/libmakepkg/source/git.sh.in
index 7d191b8d..d090f14e 100644
--- a/scripts/libmakepkg/source/git.sh.in
+++ b/scripts/libmakepkg/source/git.sh.in
@@ -29,13 +29,16 @@  source "$LIBRARY/util/pkgbuild.sh"
 
 
 download_git() {
+	local netfile=$1
+	local query=$(get_uri_query "$netfile")
+
 	# abort early if parent says not to fetch
 	if declare -p get_vcs > /dev/null 2>&1; then
-		(( get_vcs )) || return
+		if (( ! get_pgp )) || [[ $query != signed ]]; then
+			(( get_vcs )) || return
+		fi
 	fi
 
-	local netfile=$1
-
 	local dir=$(get_filepath "$netfile")
 	[[ -z "$dir" ]] && dir="$SRCDEST/$(get_filename "$netfile")"
 
diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
index 7e8d6805..c9940f0a 100644
--- a/scripts/makepkg.sh.in
+++ b/scripts/makepkg.sh.in
@@ -1416,7 +1416,7 @@  if (( SOURCEONLY )); then
 		download_sources allarch
 	elif ( (( ! SKIPCHECKSUMS )) || \
 			( (( ! SKIPPGPCHECK )) && source_has_signatures ) ); then
-		download_sources allarch novcs
+		download_sources allarch novcs getpgp
 	fi
 	check_source_integrity all
 	cd_safe "$startdir"