This patch implements a new verify function in makepkg. It allows us to
do arbitrary authentication on sources before extraction.
There are several new signing and validation methods being implemented
and it would be hard to have `makepkg` implement support for things such
as sequoia, cosign or minisign. This would allow us to distribute
generic validation functions.
Signed-off-by: Morten Linderud <morten@linderud.pw>
This feature makes Git VCS build inputs immutable by adding support for
pinning a Git checkout by a hash of its content using the deterministic
export functionality `git archive`.
This feature aids packagers by allowing them to use simple and
convenient refnames (instead of full commit hashes) in the `PKGBUILD`
while still preserving security implications of immutable build inputs
using a trusted cryptographic hash function of the content.
Previously VCS source downloads have been skipped for `--geninteg` and
`--source` as both options did not need a checkout. This commit changes
this behavior by forcing the download of all sources as integrity checks
and generation requires to have an up to date state.
Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
The documentation for the license array was specific to Arch Linux.
Remove it and some minor other Arch Linux specific references.
Signed-off-by: Allan McRae <allan@archlinux.org>
Since commit 08f4ae70, makepkg supports downloading from fossil.
However, the PKGBUILD man page was only partially updated to reflect
this change.
Signed-off-by: Allan McRae <allan@archlinux.org>
Add the 'lto' option to enable building with link time optimization
by adding '-flto' to both CFLAGS and CXXFLAGS. The 'lto' option can
be specificed both in the PKGBUILD or by setting the default in
makepkg.conf.
Signed-off-by: Allan McRae <allan@archlinux.org>
Checksums arrays should be filled with values provided by upstream. We
currently have md5 set as an unsecure default, and are constantly asked to
change it to sha2. However, just changing the default to a stronger checksum
gives the user the impression that "makepkg -g" checksums are perfect.
Instead, change the default checksum to a CRC, to make it clear that any
checksum generated purely by "makepkg -g" is not ideal.
Signed-off-by: Allan McRae <allan@archlinux.org>
Generating checksums with "makepkg -g" only determines that the user of a
PKGBUILD has the same file as the packager (assuming no collision). This
means an upstream source could be maliciously changed and passed on as valid
by a PKGBUILD. To avoid this, it is essential that any checksums used in
a PKGBUILD are as provided by upstream.
Signed-off-by: Allan McRae <allan@archlinux.org>
It's difficult to find it embedded inside a prose paragraph.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
Currently, it could be misread to say that a fragment is literally
'commit', rather than 'commit=somehash'. Anecdotally this does not seem
to be obvious to everyone, and rewording it certainly doesn't hurt.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
Currently this is scoped to the build() function, which is simply wrong
as it equally applies to any function. Simply moving the paragraphs up
to the main manpage section makes this clear.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
coreutils 8.26 in December 2016 added this new hashing method which is
compatible with the existing md5sum and sha*sum tool usage, while using
the blake2 hash algorithm.
makepkg uses coreutils to provide source file integrity checks via
${integ}sum binaries and it makes sense to offer this as an additional
option.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
The format of pkgrel was much more retrictive than described in the
man page. Update the documentation to reflect this.
Signed-off-by: Allan McRae <allan@archlinux.org>
pacman accepts these, and there is no good reason to be more restrictive
ourselves; we should follow the example of "depends" here.
Update the documentation to actually state that this is supported.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
Since we no longer use vim-specific modelines, use the .asciidoc file
extension which is, well, reserved for asciidoc formatted files. This
should presumably work everywhere without needing editor-specific
workarounds and configuration.
Also add a shebang to makepkg.conf to indicate it contains bash content.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
