libmakepkg: check for invalid tags in git

As per https://lists.archlinux.org/pipermail/arch-general/2017-July/043876.html
git doesn't check that the tag name matches what an annotated tag object
*thinks* it should be called. This is a bit of a theoretical attack and
some would argue that we should always use commits since upstream can
legitimately change a tag, but nevertheless this can result in a
downgrade attack if the git download transport was manipulated or the
upstream repository hacked.

So, check the tag blob to make sure the tag actually matches the name we
used for `git checkout`.

This really should be fixed in git itself, rather than forcing all
downstream users of git verify-tag to implement their own checks, but
the git developers disagree, see the discussion surrounding
https://public-inbox.org/git/xmqqk2hzldx8.fsf@gitster.mtv.corp.google.com/

Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>

scripts/libmakepkg/source/git.sh.in

@@ -65,7 +65,7 @@ download_git() {
 }
 
 extract_git() {
-	local netfile=$1
+	local netfile=$1 tagname
 
 	local fragment=$(get_uri_fragment "$netfile")
 	local repo=$(get_filename "$netfile")
@@ -110,6 +110,15 @@ extract_git() {
 		esac
 	fi
 
+	if [[ ${fragment%%=*} = tag ]]; then
+		tagname="$(git tag -l --format='%(tag)' "$ref")"
+		if [[ -n $tagname && $tagname != $ref ]]; then
+			error "$(gettext "Failure while checking out version %s, the git tag has been forged")" "$ref"
+			plain "$(gettext "Aborting...")"
+			exit 1
+		fi
+	fi
+
 	if [[ $ref != "origin/HEAD" ]] || (( updating )) ; then
 		if ! git checkout --force --no-track -B makepkg $ref; then
 			error "$(gettext "Failure while creating working copy of %s %s repo")" "${repo}" "git"