From patchwork Sat May 28 14:18:12 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Morten Linderud X-Patchwork-Id: 2062 Return-Path: Delivered-To: patchwork@archlinux.org Received: from mail.archlinux.org [95.216.189.61] by patchwork.archlinux.org with IMAP (fetchmail-6.4.30) for (single-drop); Sat, 28 May 2022 14:21:09 +0000 (UTC) Received: from mail.archlinux.org by mail.archlinux.org with LMTP id wN/kB9UvkmLV+wYAK+/4rw (envelope-from ) for ; Sat, 28 May 2022 14:21:09 +0000 Received: from lists.archlinux.org (lists.archlinux.org [IPv6:2a01:4f9:c010:9eb4::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.archlinux.org (Postfix) with ESMTPS id C10BF1047532; Sat, 28 May 2022 14:21:07 +0000 (UTC) Received: from lists.archlinux.org (localhost [IPv6:::1]) by lists.archlinux.org (Postfix) with ESMTP id 7CF0A10249D1; Sat, 28 May 2022 14:21:07 +0000 (UTC) X-Original-To: pacman-dev@lists.archlinux.org Delivered-To: pacman-dev@lists.archlinux.org Received: from mail.archlinux.org (mail.archlinux.org [95.216.189.61]) by lists.archlinux.org (Postfix) with ESMTPS id 8BA4E102493E for ; Sat, 28 May 2022 14:18:21 +0000 (UTC) From: Morten Linderud DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=archlinux.org; s=dkim-rsa; t=1653747501; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=oOdB8z5M2kVGhapO1X4BMaCAvR6T4Ahh31lCcUTddQ4=; b=VEAwQ3tNvDGRWzIxCC4F+BBvJiQQuaKtYDBOXOOqA+LkW1d5RjwVj7TsSzm3lcEEStT2uK looADquNyiS4vY0qpt2GyYIgLB4wH3DJ6TGKaOtF6oy6EY574kggBOfocDkrtUcYWTGkSY XFbASmE92+WeGW/m4lwbNN4mgT9Pzp5nb+3Ged78+CsDDrBuLqHN7qIfkePImY8NI4TFbl x0pTbIEy/zzsn/w/G1r+1400yJ933Ok36VCU1cFGEftZ1FuQXRUPtK8qcRzV8P6ueracFK /SVHGvNMHR9u0N1qXudOZi5mJxUvvGLvVthUUPguT5xXSSakcEH9uxJgUs3ZY0AUWFiSqx jWSq/9fbecy5j2uZSZ7unpTmBmRj9BdxVA0Mvv+RwblWgK7q/SHOiqePusTpgdKJ1qFAEc mbxQ9RdJxOkQLm2/FgeeeBRfBtJpo7VQ2tFFAZEaqgaaOC2zP65oPNYvtT4Nz60JoLLcz2 d/I2sGMwIQYXxsjMwstKIhL5l5+L7kyBHLormvJ2u9581LCprM5x02eXAxU0S8niRA7sCG d0N5krpVg3OzYK63MNUCuRT/UXVcSzIsXNtzaKaBa7ulJq7lI506QNQbqJ8/kTs0GmxDfN Ftzn7J8osvJtMAecbd4WWtk3by8uaLqbLilRNDGvyTdjHHzMPe7qQ= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=archlinux.org; s=dkim-ed25519; t=1653747501; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=oOdB8z5M2kVGhapO1X4BMaCAvR6T4Ahh31lCcUTddQ4=; b=6vlW33K3HGAlTKb2A+N4kImiSvloCh7i5XvMYWJtIAKqySEdIrU5vIEGHG5YA13toYqHMU dFTCGMR99zGR+gBQ== To: pacman-dev@lists.archlinux.org Cc: Morten Linderud Subject: [PATCH] makepkg: Implement the verify function Date: Sat, 28 May 2022 16:18:12 +0200 Message-Id: <20220528141812.2355346-1-foxboron@archlinux.org> X-Mailer: git-send-email 2.36.1 MIME-Version: 1.0 X-BeenThere: pacman-dev@lists.archlinux.org X-Mailman-Version: 2.1.39 Precedence: list List-Id: Discussion list for pacman development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: pacman-dev-bounces@lists.archlinux.org Sender: "pacman-dev" Authentication-Results: mail.archlinux.org; dkim=pass header.d=archlinux.org header.s=dkim-rsa header.b=VEAwQ3tN; dkim=pass header.d=archlinux.org header.s=dkim-ed25519 header.b=6vlW33K3; spf=pass (mail.archlinux.org: domain of pacman-dev-bounces@lists.archlinux.org designates 2a01:4f9:c010:9eb4::1 as permitted sender) smtp.mailfrom=pacman-dev-bounces@lists.archlinux.org; dmarc=pass (policy=none) header.from=archlinux.org X-Rspamd-Server: mail.archlinux.org X-Spamd-Result: default: False [-2.61 / 15.00]; DWL_DNSWL_MED(-2.00)[archlinux.org:dkim]; MID_CONTAINS_FROM(1.00)[]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; DMARC_POLICY_ALLOW(-0.50)[archlinux.org,none]; R_MISSING_CHARSET(0.50)[]; RCVD_IN_DNSWL_MED(-0.40)[2a01:4f9:c010:9eb4::1:from,95.216.189.61:received]; MAILLIST(-0.20)[mailman]; R_SPF_ALLOW(-0.20)[+ip6:2a01:4f9:c010:9eb4::1:c]; R_DKIM_ALLOW(-0.20)[archlinux.org:s=dkim-rsa,archlinux.org:s=dkim-ed25519]; MIME_GOOD(-0.10)[text/plain]; HAS_LIST_UNSUB(-0.01)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[pacman-dev@lists.archlinux.org]; ARC_NA(0.00)[]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:24940, ipnet:2a01:4f9::/32, country:DE]; DKIM_TRACE(0.00)[archlinux.org:+]; RCVD_COUNT_THREE(0.00)[3]; FROM_NEQ_ENVFROM(0.00)[foxboron@archlinux.org,pacman-dev-bounces@lists.archlinux.org]; RCPT_COUNT_TWO(0.00)[2]; MIME_TRACE(0.00)[0:+]; FORGED_RECIPIENTS_MAILLIST(0.00)[]; NEURAL_HAM(-0.00)[-1.000]; FORGED_SENDER_MAILLIST(0.00)[] X-Rspamd-Queue-Id: C10BF1047532 From: Morten Linderud This patch implements a new verify function in makepkg. It allows us to do arbitrary authentication on sources before extraction. There are several new signing and validation methods being implemented and it would be hard to have `makepkg` implement support for things such as sequoia, cosign or minisign. This would allow us to distribute generic validation functions. This also implements a new `copy_` routine for our protocols as we need to have a separation between extracting sources and copying sources. Signed-off-by: Morten Linderud --- doc/PKGBUILD.5.asciidoc | 4 ++++ doc/makepkg.8.asciidoc | 3 +++ scripts/libmakepkg/integrity.sh.in | 3 +++ scripts/libmakepkg/source.sh.in | 15 +++++++++++++++ scripts/libmakepkg/source/file.sh.in | 9 ++++++++- scripts/makepkg.sh.in | 17 ++++++++++++++++- 6 files changed, 49 insertions(+), 2 deletions(-) diff --git a/doc/PKGBUILD.5.asciidoc b/doc/PKGBUILD.5.asciidoc index 4ca8eb3b..e7743c88 100644 --- a/doc/PKGBUILD.5.asciidoc +++ b/doc/PKGBUILD.5.asciidoc @@ -344,6 +344,10 @@ function. fakeroot to ensure correct file permissions in the resulting package. All other functions will be run as the user calling makepkg. +*verify() Function*:: + An optional `verify()` function can be specified to implement arbiterary + source authentication. This function is run before sources are extracted. + *prepare() Function*:: An optional `prepare()` function can be specified in which operations to prepare the sources for building, such as patching, are performed. This diff --git a/doc/makepkg.8.asciidoc b/doc/makepkg.8.asciidoc index 38032e7b..75b2139f 100644 --- a/doc/makepkg.8.asciidoc +++ b/doc/makepkg.8.asciidoc @@ -168,6 +168,9 @@ Options *\--noprepare*:: Do not run the prepare() function in the PKGBUILD. +*\--noverify*:: + Do not run the verify() function in the PKGBUILD. + *\--sign*:: Sign the resulting package with gpg, overriding the setting in linkman:makepkg.conf[5]. diff --git a/scripts/libmakepkg/integrity.sh.in b/scripts/libmakepkg/integrity.sh.in index 070392fa..81f935df 100644 --- a/scripts/libmakepkg/integrity.sh.in +++ b/scripts/libmakepkg/integrity.sh.in @@ -42,4 +42,7 @@ check_source_integrity() { check_checksums "$@" check_pgpsigs "$@" fi + if (( VERIFYFUNC )); then + run_verify + fi } diff --git a/scripts/libmakepkg/source.sh.in b/scripts/libmakepkg/source.sh.in index e39dd16c..92dc71e4 100644 --- a/scripts/libmakepkg/source.sh.in +++ b/scripts/libmakepkg/source.sh.in @@ -69,6 +69,21 @@ download_sources() { done } +copy_sources(){ + msg "$(gettext "Copying sources...")" + local netfile all_sources + + get_all_sources_for_arch 'all_sources' + for netfile in "${all_sources[@]}"; do + local proto=$(get_protocol "$netfile") + if declare -f copy_$proto > /dev/null; then + copy_$proto "$netfile" + else + copy_file "$netfile" + fi + done +} + extract_sources() { msg "$(gettext "Extracting sources...")" local netfile all_sources diff --git a/scripts/libmakepkg/source/file.sh.in b/scripts/libmakepkg/source/file.sh.in index fa09d446..51452550 100644 --- a/scripts/libmakepkg/source/file.sh.in +++ b/scripts/libmakepkg/source/file.sh.in @@ -82,13 +82,20 @@ download_file() { fi } -extract_file() { +copy_file(){ local netfile=$1 local file=$(get_filename "$netfile") local filepath=$(get_filepath "$file") rm -f "$srcdir/${file}" ln -s "$filepath" "$srcdir/" +} + +extract_file() { + local netfile=$1 + + local file=$(get_filename "$netfile") + local filepath=$(get_filepath "$file") if in_array "$file" "${noextract[@]}"; then # skip source files in the noextract=() array diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 5aaabf63..b7b21af1 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -144,6 +144,9 @@ clean_up() { if (( PKGVERFUNC )); then rm -f "${pkgbase}-${fullver}-${CARCH}-pkgver.log"* fi + if (( VERIFYFUNC )); then + rm -f "${pkgbase}-${fullver}-${CARCH}-verify.log"* + fi if (( PREPAREFUNC )); then rm -f "${pkgbase}-${fullver}-${CARCH}-prepare.log"* fi @@ -447,6 +450,10 @@ run_function() { fi } +run_verify() { + run_function_safe "verify" +} + run_prepare() { run_function_safe "prepare" } @@ -973,6 +980,7 @@ while true; do -m|--nocolor) USE_COLOR='n'; PACMAN_OPTS+=("--color" "never") ;; --noarchive) NOARCHIVE=1 ;; --nocheck) RUN_CHECK='n' ;; + --noverify) RUN_VERIFY='n' ;; --noprepare) RUN_PREPARE='n' ;; --nosign) SIGNPKG='n' ;; -o|--nobuild) BUILDPKG=0 NOBUILD=1 ;; @@ -1093,7 +1101,7 @@ fi unset pkgname "${pkgbuild_schema_strings[@]}" "${pkgbuild_schema_arrays[@]}" unset "${known_hash_algos[@]/%/sums}" -unset -f pkgver prepare build check package "${!package_@}" +unset -f pkgver verify prepare build check package "${!package_@}" unset "${!makedepends_@}" "${!depends_@}" "${!source_@}" "${!checkdepends_@}" unset "${!optdepends_@}" "${!conflicts_@}" "${!provides_@}" "${!replaces_@}" unset "${!cksums_@}" "${!md5sums_@}" "${!sha1sums_@}" "${!sha224sums_@}" @@ -1165,6 +1173,12 @@ if (( ${#pkgname[@]} > 1 )) || have_function package_${pkgname}; then fi # test for available PKGBUILD functions +if have_function verify; then + # "Hide" verify() function if not going to be run + if [[ $RUN_VERIFY != "n" ]]; then + VERIFYFUNC=1 + fi +fi if have_function prepare; then # "Hide" prepare() function if not going to be run if [[ $RUN_PREPARE != "n" ]]; then @@ -1312,6 +1326,7 @@ if (( !REPKG )); then warning "$(gettext "Using existing %s tree")" "\$srcdir/" else download_sources + copy_sources check_source_integrity (( VERIFYSOURCE )) && exit $E_OK