@@ -35,7 +35,7 @@ done
download_sources() {
local netfile all_sources
- local get_source_fn=get_all_sources_for_arch get_vcs=1
+ local get_source_fn=get_all_sources_for_arch get_vcs=1 get_pgp=0
msg "$(gettext "Retrieving sources...")"
@@ -47,6 +47,9 @@ download_sources() {
novcs)
get_vcs=0
;;
+ getpgp)
+ (( SKIPPGPCHECK )) || get_pgp=1
+ ;;
*)
break
;;
@@ -29,13 +29,16 @@ source "$LIBRARY/util/pkgbuild.sh"
download_git() {
+ local netfile=$1
+ local query=$(get_uri_query "$netfile")
+
# abort early if parent says not to fetch
if declare -p get_vcs > /dev/null 2>&1; then
- (( get_vcs )) || return
+ if (( ! get_pgp )) || [[ $query != signed ]]; then
+ (( get_vcs )) || return
+ fi
fi
- local netfile=$1
-
local dir=$(get_filepath "$netfile")
[[ -z "$dir" ]] && dir="$SRCDEST/$(get_filename "$netfile")"
@@ -1416,7 +1416,7 @@ if (( SOURCEONLY )); then
download_sources allarch
elif ( (( ! SKIPCHECKSUMS )) || \
( (( ! SKIPPGPCHECK )) && source_has_signatures ) ); then
- download_sources allarch novcs
+ download_sources allarch novcs getpgp
fi
check_source_integrity all
cd_safe "$startdir"
We optimize this out for sourceballs since VCS sources don't get their checksums verified. But this logic is broken ever since we implemented PGP signature checking for git sources -- if the git source is signed, we still check it, but we don't make sure to download it first. makepkg then fails to generate a sourceball unless you previously ran --verifysource or attempted to build. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> --- scripts/libmakepkg/source.sh.in | 5 ++++- scripts/libmakepkg/source/git.sh.in | 9 ++++++--- scripts/makepkg.sh.in | 2 +- 3 files changed, 11 insertions(+), 5 deletions(-)