From 331b277eea9cf1be8928986dbb706d738487e93b Mon Sep 17 00:00:00 2001 From: Morten Linderud Date: Wed, 11 May 2022 20:19:35 +0200 Subject: [PATCH] makepkg: Implement the verify function This patch implements a new verify function in makepkg. It allows us to do arbitrary authentication on sources before extraction. There are several new signing and validation methods being implemented and it would be hard to have `makepkg` implement support for things such as sequoia, cosign or minisign. This would allow us to distribute generic validation functions. Signed-off-by: Morten Linderud --- doc/PKGBUILD.5.asciidoc | 11 ++++++++++- doc/makepkg.8.asciidoc | 3 +++ scripts/libmakepkg/integrity.sh.in | 3 +++ scripts/makepkg.sh.in | 21 ++++++++++++++++++--- 4 files changed, 34 insertions(+), 4 deletions(-) diff --git a/doc/PKGBUILD.5.asciidoc b/doc/PKGBUILD.5.asciidoc index bfb9b3fe..5b4e5b20 100644 --- a/doc/PKGBUILD.5.asciidoc +++ b/doc/PKGBUILD.5.asciidoc @@ -336,6 +336,13 @@ function. the optional functions listed below. The packaging stage is run using fakeroot to ensure correct file permissions in the resulting package. All other functions will be run as the user calling makepkg. + This function is run inside `$srcdir`. + +*verify() Function*:: + An optional `verify()` function can be specified to implement arbiterary + source authentication. The function should return a non-zero exit code when + verification fails. This function is run before sources are extracted. + This function is run inside `$startdir`. *prepare() Function*:: An optional `prepare()` function can be specified in which operations to @@ -343,16 +350,19 @@ function. function is run after the source extraction and before the `build()` function. The `prepare()` function is skipped when source extraction is skipped. + This function is run inside `$srcdir`. *build() Function*:: The optional `build()` function is used to compile and/or adjust the source files in preparation to be installed by the `package()` function. + This function is run inside `$srcdir`. *check() Function*:: An optional `check()` function can be specified in which a package's test-suite may be run. This function is run between the `build()` and `package()` functions. Be sure any exotic commands used are covered by the `checkdepends` array. + This function is run inside `$srcdir`. All of the above variables such as `$pkgname` and `$pkgver` are available for use in the packaging functions. In addition, makepkg defines the following @@ -362,7 +372,6 @@ variables: This contains the directory where makepkg extracts, or copies, all source files. + -All of the packaging functions defined above are run starting inside `$srcdir` *pkgdir*:: This contains the directory where makepkg bundles the installed package. diff --git a/doc/makepkg.8.asciidoc b/doc/makepkg.8.asciidoc index 44156656..a69250ff 100644 --- a/doc/makepkg.8.asciidoc +++ b/doc/makepkg.8.asciidoc @@ -171,6 +171,9 @@ Options *\--noprepare*:: Do not run the prepare() function in the PKGBUILD. +*\--noverify*:: + Do not run the verify() function in the PKGBUILD. + *\--sign*:: Sign the resulting package with gpg, overriding the setting in linkman:makepkg.conf[5]. diff --git a/scripts/libmakepkg/integrity.sh.in b/scripts/libmakepkg/integrity.sh.in index 070392fa..81f935df 100644 --- a/scripts/libmakepkg/integrity.sh.in +++ b/scripts/libmakepkg/integrity.sh.in @@ -42,4 +42,7 @@ check_source_integrity() { check_checksums "$@" check_pgpsigs "$@" fi + if (( VERIFYFUNC )); then + run_verify + fi } diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 3769d624..2aaed18c 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -144,6 +144,9 @@ clean_up() { if (( PKGVERFUNC )); then rm -f "${pkgbase}-${fullver}-${CARCH}-pkgver.log"* fi + if (( VERIFYFUNC )); then + rm -f "${pkgbase}-${fullver}-${CARCH}-verify.log"* + fi if (( PREPAREFUNC )); then rm -f "${pkgbase}-${fullver}-${CARCH}-prepare.log"* fi @@ -398,7 +401,7 @@ run_function_safe() { restoretrap=$(trap -p ERR) trap "error_function '$1'" ERR - run_function "$1" + run_function "$1" "$2" trap - ERR eval "$restoretrap" @@ -410,11 +413,12 @@ run_function() { return 1 fi local pkgfunc="$1" + local workingdir="${2:-$srcdir}" if (( ! BASH_SUBSHELL )); then msg "$(gettext "Starting %s()...")" "$pkgfunc" fi - cd_safe "$srcdir" + cd_safe "$workingdir" local ret=0 if (( LOGGING )); then @@ -447,6 +451,10 @@ run_function() { fi } +run_verify() { + run_function_safe "verify" "$startdir" +} + run_prepare() { run_function_safe "prepare" } @@ -984,6 +992,7 @@ while true; do -m|--nocolor) USE_COLOR='n'; PACMAN_OPTS+=("--color" "never") ;; --noarchive) NOARCHIVE=1 ;; --nocheck) RUN_CHECK='n' ;; + --noverify) RUN_VERIFY='n' ;; --noprepare) RUN_PREPARE='n' ;; --nosign) SIGNPKG='n' ;; -o|--nobuild) BUILDPKG=0 NOBUILD=1 ;; @@ -1110,7 +1119,7 @@ fi unset pkgname "${pkgbuild_schema_strings[@]}" "${pkgbuild_schema_arrays[@]}" unset "${known_hash_algos[@]/%/sums}" -unset -f pkgver prepare build check package "${!package_@}" +unset -f pkgver verify prepare build check package "${!package_@}" unset "${!makedepends_@}" "${!depends_@}" "${!source_@}" "${!checkdepends_@}" unset "${!optdepends_@}" "${!conflicts_@}" "${!provides_@}" "${!replaces_@}" unset "${!cksums_@}" "${!md5sums_@}" "${!sha1sums_@}" "${!sha224sums_@}" @@ -1182,6 +1191,12 @@ if (( ${#pkgname[@]} > 1 )) || have_function package_${pkgname}; then fi # test for available PKGBUILD functions +if have_function verify; then + # "Hide" verify() function if not going to be run + if [[ $RUN_VERIFY != "n" ]] && (( ! SKIPCHECKSUMS && ! SKIPPGPCHECK )); then + VERIFYFUNC=1 + fi +fi if have_function prepare; then # "Hide" prepare() function if not going to be run if [[ $RUN_PREPARE != "n" ]]; then