| Message ID | 20200811013225.1457594-1-eschwartz@archlinux.org |
|---|---|
| State | New |
| Headers | show |
| Series | [pacman-dev] makepkg: --source should download repos with PGP signatures | expand |
On 11/8/20 11:32 am, Eli Schwartz wrote: > We optimize this out for sourceballs since VCS sources don't get their > checksums verified. But this logic is broken ever since we implemented > PGP signature checking for git sources -- if the git source is signed, > we still check it, but we don't make sure to download it first. makepkg > then fails to generate a sourceball unless you previously ran > --verifysource or attempted to build. > > Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> I am not a fan of this - the whole source download logic becomes a bit piecemeal. I think we either need to: 1) Not download the source for source packages (unless --allsource is used), or 2) Download all sources when making source packages. Allan > --- > scripts/libmakepkg/source.sh.in | 5 ++++- > scripts/libmakepkg/source/git.sh.in | 9 ++++++--- > scripts/makepkg.sh.in | 2 +- > 3 files changed, 11 insertions(+), 5 deletions(-) > > diff --git a/scripts/libmakepkg/source.sh.in b/scripts/libmakepkg/source.sh.in > index a0c6b662..b95e6be8 100644 > --- a/scripts/libmakepkg/source.sh.in > +++ b/scripts/libmakepkg/source.sh.in > @@ -35,7 +35,7 @@ done > > download_sources() { > local netfile all_sources > - local get_source_fn=get_all_sources_for_arch get_vcs=1 > + local get_source_fn=get_all_sources_for_arch get_vcs=1 get_pgp=0 > > msg "$(gettext "Retrieving sources...")" > > @@ -47,6 +47,9 @@ download_sources() { > novcs) > get_vcs=0 > ;; > + getpgp) > + (( SKIPPGPCHECK )) || get_pgp=1 > + ;; > *) > break > ;; > diff --git a/scripts/libmakepkg/source/git.sh.in b/scripts/libmakepkg/source/git.sh.in > index 7d191b8d..d090f14e 100644 > --- a/scripts/libmakepkg/source/git.sh.in > +++ b/scripts/libmakepkg/source/git.sh.in > @@ -29,13 +29,16 @@ source "$LIBRARY/util/pkgbuild.sh" > > > download_git() { > + local netfile=$1 > + local query=$(get_uri_query "$netfile") > + > # abort early if parent says not to fetch > if declare -p get_vcs > /dev/null 2>&1; then > - (( get_vcs )) || return > + if (( ! get_pgp )) || [[ $query != signed ]]; then > + (( get_vcs )) || return > + fi > fi > > - local netfile=$1 > - > local dir=$(get_filepath "$netfile") > [[ -z "$dir" ]] && dir="$SRCDEST/$(get_filename "$netfile")" > > diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in > index 7e8d6805..c9940f0a 100644 > --- a/scripts/makepkg.sh.in > +++ b/scripts/makepkg.sh.in > @@ -1416,7 +1416,7 @@ if (( SOURCEONLY )); then > download_sources allarch > elif ( (( ! SKIPCHECKSUMS )) || \ > ( (( ! SKIPPGPCHECK )) && source_has_signatures ) ); then > - download_sources allarch novcs > + download_sources allarch novcs getpgp > fi > check_source_integrity all > cd_safe "$startdir" >
diff --git a/scripts/libmakepkg/source.sh.in b/scripts/libmakepkg/source.sh.in index a0c6b662..b95e6be8 100644 --- a/scripts/libmakepkg/source.sh.in +++ b/scripts/libmakepkg/source.sh.in @@ -35,7 +35,7 @@ done download_sources() { local netfile all_sources - local get_source_fn=get_all_sources_for_arch get_vcs=1 + local get_source_fn=get_all_sources_for_arch get_vcs=1 get_pgp=0 msg "$(gettext "Retrieving sources...")" @@ -47,6 +47,9 @@ download_sources() { novcs) get_vcs=0 ;; + getpgp) + (( SKIPPGPCHECK )) || get_pgp=1 + ;; *) break ;; diff --git a/scripts/libmakepkg/source/git.sh.in b/scripts/libmakepkg/source/git.sh.in index 7d191b8d..d090f14e 100644 --- a/scripts/libmakepkg/source/git.sh.in +++ b/scripts/libmakepkg/source/git.sh.in @@ -29,13 +29,16 @@ source "$LIBRARY/util/pkgbuild.sh" download_git() { + local netfile=$1 + local query=$(get_uri_query "$netfile") + # abort early if parent says not to fetch if declare -p get_vcs > /dev/null 2>&1; then - (( get_vcs )) || return + if (( ! get_pgp )) || [[ $query != signed ]]; then + (( get_vcs )) || return + fi fi - local netfile=$1 - local dir=$(get_filepath "$netfile") [[ -z "$dir" ]] && dir="$SRCDEST/$(get_filename "$netfile")" diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 7e8d6805..c9940f0a 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -1416,7 +1416,7 @@ if (( SOURCEONLY )); then download_sources allarch elif ( (( ! SKIPCHECKSUMS )) || \ ( (( ! SKIPPGPCHECK )) && source_has_signatures ) ); then - download_sources allarch novcs + download_sources allarch novcs getpgp fi check_source_integrity all cd_safe "$startdir"
We optimize this out for sourceballs since VCS sources don't get their checksums verified. But this logic is broken ever since we implemented PGP signature checking for git sources -- if the git source is signed, we still check it, but we don't make sure to download it first. makepkg then fails to generate a sourceball unless you previously ran --verifysource or attempted to build. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> --- scripts/libmakepkg/source.sh.in | 5 ++++- scripts/libmakepkg/source/git.sh.in | 9 ++++++--- scripts/makepkg.sh.in | 2 +- 3 files changed, 11 insertions(+), 5 deletions(-)