From ca3c873d4875431dfd40ca5aea76cb5a14a66f3b Mon Sep 17 00:00:00 2001
From: Levente Polyak <anthraxx@archlinux.org>
Date: Thu, 2 Jun 2022 01:53:04 +0200
Subject: [PATCH] makepkg: immutable mercurial sources by hashing the checkout
 content

This feature makes Mercurial VCS build inputs immutable by adding
support for pinning a Mercurial checkout by a hash of its content using
the deterministic export functionality `hg archive`.

This feature aids packagers by allowing them to use simple and
convenient refnames (instead of full commit hashes) in the `PKGBUILD`
while still preserving security implications of immutable build inputs
using a trusted cryptographic hash function of the content.

Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
---
 scripts/libmakepkg/source/hg.sh.in | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/scripts/libmakepkg/source/hg.sh.in b/scripts/libmakepkg/source/hg.sh.in
index 2889d4dd..5cd6fd2d 100644
--- a/scripts/libmakepkg/source/hg.sh.in
+++ b/scripts/libmakepkg/source/hg.sh.in
@@ -111,3 +111,30 @@ extract_hg() {
 
 	popd &>/dev/null
 }
+
+calc_checksum_hg() {
+	local netfile=$1 integ=$2 ret=0 shellopts dir url fragment fragval sum
+
+	# this function requires pipefail - save current status to restore later
+	shellopts=$(shopt -p -o pipefail)
+	shopt -s -o pipefail
+
+	dir=$(get_filepath "$netfile")
+	url=$(get_url "$netfile")
+	fragment=$(get_uri_fragment "$url")
+
+	case ${fragment%%=*} in
+		tag|revision)
+			fragval=${fragment##*=}
+			sum=$(hg --repository "$dir" archive --type tar --rev "$fragval" - | "${integ}sum" 2>&1) || ret=1
+			sum="${sum%% *}"
+			;;
+		*)
+			sum="SKIP"
+			;;
+	esac
+
+	eval "$shellopts"
+	printf '%s' "$sum"
+	return $ret
+}