Work around the final line not being parsed in .PKGINFO if there was a lack
of newline at the end of the file. This could occur due to utilising a tool
other than makepkg to create packages.
The missed line created a difference in the parsing of .PKGINFO between
repo-add and pacman, causing packages to be seen as invalidwith pacman-6.1.
Signed-off-by: Allan McRae <allan@archlinux.org>
The current code treats -k/--key as a binary option which later makes it
fail parsing the argument as then the end of arguments '--' is treated
as the GPGKEY. We fix this by adding the appropriate specifier to the
long and shortopt.
Closes https://gitlab.archlinux.org/pacman/pacman/-/issues/105
Fixes: 4f43ce3e ("repo-add: use parseopts from libmakepkg")
Signed-off-by: Christian Heusel <christian@heusel.eu>
Clarify if repo-add does not create a new database due to failures
or due to there being nothing to do.
Signed-off-by: Allan McRae <allan@archlinux.org>
Commit 4f43ce3e4a broke repo-add by
switching to parseopts without accounting for the added "--". This caused
the dbname to always be read as "--".
Accounts for "--" and makes repo-add respect "--" as end of opts.
Keeping md5sums in the repo databases no longer serves a real purpose.
md5sums are no longer considered secure, and we already have sha256sums
in the repos (along with PGP verification).
Signed-off-by: Allan McRae <allan@archlinux.org>
Pacman now downloads the signature files for all packages when present in a
repository. That makes distributing signatures within repository databases
redundant and costly.
Do not distribute the package signature files within the repo databases by
default and add an --include-sigs to revert to the old behaviour.
Signed-off-by: Allan McRae <allan@archlinux.org>
Currently the list of supported formats for an archive, is maintained in
two places. And repo-add does not actually get updated. :(
In the process, remove some of the logical duplication when calling
bsdtar/compress_as.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
If it's not listed by --list-secret-key we don't care if it has been
imported into your keyring, it's unusable. And you might not have a
private key at all in the no-keyid-specified case.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
We pass this to gpg -u and this gpg option can accept a number of
different formats, not just the historical hexadecimal fingerprint we
assumed. We should not barf hard if a format is used which happens to
contain spaces.
This also fixes a validation bug. When we initially check if the desired
key is available, we don't quote spaces, so gpg goes ahead and treats
each space-separated string as a *different key* to search for,
returning partial matches, and returning success if at least one key is
found. But gpg --detach-sign -u will certainly not accept multiple keys!
Fixes FS#66949
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
Redirect file to stdin so wc -c doesn't print a file name that needs to
be stripped.
Signed-off-by: Ethan Sommer <e5ten.arch@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
The right-hand side of the [[ ... = ... ]] keyword is an exception to
the general rule that quoting is unnecessary with [[
This is usually not a problem, e.g. in libmakepkg, lint_one_pkgname will
already fail if pkgname has an asterisk, but it certainly doesn't hurt
to be "more proper" and go with the spec; it is more dangerous in
repo-add, which can get caught in an infinite loop instead of safely
asserting there is no package named 'foo*'.
Reported-by: Rafael Ascensão <rafa.almas@gmail.com>
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
Our sed parser for xdelta3 headers will greedily match on ":" which
coincidentally is also the character we use to define a version with an
epoch.
While we are at it, simply use sed for the whole pipeline, rather than
using both grep and sed.
Fixes FS#61195
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
We have code in order to remove deltas when removing a package, but it
is never run, since we try to remove the wrong file.
This was broken in commit cb0f2bd038 which
modified the internal layout we use to modify the db, changing "tree" to
"db", but did not update all locations where it was used.
This worked swimmingly well as long as only repo-add updates were
handling the backup and restore of the delta file, as the delta file
therefore got backed up to the correct location (db) in the shared
db_remove_entry() function.
But later on in the repo-remove logic, we tried removing a different
file that will never exist (tree).
Fixes FS#53041
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
Currently this prints the following message:
==> Extracting database to a temporary location...
==> Extracting database to a temporary location...
This redundancy is potentially confusing and may cause people to think
something is wrong. Historically, this message came from a time when we
only extracted one database, but repo-add was changed to always create
the files database in commit cb0f2bd038
and whole code block with message intact was moved into a for loop and
run (and printed) twice.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
Remove all remnants of library/{output_format,term_colors}.sh
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
We don't need to translate the "Copyright YEAR AUTHOR" part, no part of
it should probably be translated and it definitely shouldn't turn every
single license terms notice into a separate translation just because the
author/year is different.
Fixes FS#58452
Also consistently add a blank line after the copyright and before the
license terms.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
Many of these are pointless (e.g. there is no need to explicitly turn on
spellchecking and language dictionaries for the manpages by default).
The only useful modelines are the ones enforcing the project coding
standards for indentation style (and "maybe" filetype/syntax, but
everything except the asciidoc manpages and makepkg.conf is already
autodetected), and indent style can be applied more easily with
.editorconfig
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
In commit cb0f2bd038 the changes from
commit 81d233b793 seem to have been
inadvertently backed out.
Right now the current check doesn't do anything, since "fail" is always
nothing and therefore successful.
Fixes FS#58505
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
Now uses wc -c $file | cut -d' ' -f1, which works using only POSIX
commands and removes the need for any platform-specific usages.
Signed-off-by: Drew DeVault <sir@cmpwn.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
If pacman is build against a crypto library other than openssl, it makes no
sense to require makepkg to use it.
The only currently considered alternative to openssl is nettle, which has no
binary for base64 encode/decode. This means that we could replace the hashing
cacluations with nettle-hash, but would require base64 from coreutils.
Given makepkg already relies heavily on coreutils, we might as well use all
the coreutils hashing binaries too.
This patch also improves the checking of required binaries for hashing
operations.
Signed-off-by: Allan McRae <allan@archlinux.org>
Pacman cannot handle armored signatures, so make repo-add error out if
one is detected.
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
Pacman cannot handle armored signatures, so use gpg's --no-armor flag to
force an unarmored signature.
Signed-off-by: Allan McRae <allan@archlinux.org>
Both the "db" and "files" databases are created in one call to repo-add.
Only the "foo.db.tar.xz" name is passed to repo-add.
Signed-off-by: Allan McRae <allan@archlinux.org>
The information needed to create a delta entry and remove the old package from
the filesystem are the same.
Signed-off-by: Allan McRae <allan@archlinux.org>
The check for xdelta3 was done as needed (and not in all cases). Do this
check early so that repo-add does not abort part way through.
Signed-off-by: Allan McRae <allan@archlinux.org>
