The output of
`gpg --quiet --batch --status-fd /dev/stdout --verify <signature_file> <file> 2> /dev/null`
or
`git verify-commit --raw <commit> 2>&1`
may contain binary data, if the signature has been created with an
OpenPGP implementation, that e.g. makes use of notations.
If the notation string (see `NOTATION_DATA` in /usr/share/doc/gnupg/
DETAILS) contains a trailing binary char, this will break signature
verification, as any following entry (e.g. `VALIDSIG`) will be offset.
As we are only making use of a narrow set of terms from the statusfile
(namely `NEWSIG`, `GOODSIG`, `EXPSIG`, `EXPKEYSIG`, `REVKEYSIG`,
`BADSIG`, `ERRSIG`, `VALIDSIG`, `TRUST_UNDEFINED`, `TRUST_NEVER`,
`TRUST_MARGINAL`, `TRUST_FULLY`, `TRUST_ULTIMATE`), we are applying a
filter, so that only understood terms are written to the file.
Signed-off-by: David Runge <dvzrv@archlinux.org>
Emit an early error message if tag or commit verification with git or
detached signature verification with gpg fails.
Make `verify_file_signature()` and `verify_git_signature()` return
non-zero in this case and set errors to `1`, so that later checks
in `check_pgpsigs()`, although still run, can not lead to a positive
result.
Signed-off-by: David Runge <dvzrv@archlinux.org>
.a files are not valid ELF files so we can't run objcopy nor debugedit
on them.
Rename STRIPLTO to STATICLIB to be more descriptive.
Signed-off-by: Morten Linderud <morten@linderud.pw>
Some projects might duplicate the file in multiple locations for one
reason or another. When debug packages are enabled, `makepkg` will only
strip the first occurrence of the binary and abort early on all the
other binaries.
Signed-off-by: Morten Linderud <morten@linderud.pw>
During a package build we call prepare_buildenv in multiple stages of
the process. For debug packages, one of the hooks is buildenv_debugflags
which populates the debug flags to the according variables.
The issue is that the behavior of the current implementation of
buildenv_debugflags is not idempotent, so consecutive calls will append
the same flags again. In certain cases this isn't an issue, however
for context aware build frontends like cargo any change of the build
inputs leads to a fresh build. This means that any invocation of such
a build ecosystem inside the package() function will trigger a full
rebuild, which is not desired.
To fix this issue, this commit makes buildenv_debugflags idempotent
by only appending flags once to the target variables.
Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
This patch implements a new verify function in makepkg. It allows us to
do arbitrary authentication on sources before extraction.
There are several new signing and validation methods being implemented
and it would be hard to have `makepkg` implement support for things such
as sequoia, cosign or minisign. This would allow us to distribute
generic validation functions.
Signed-off-by: Morten Linderud <morten@linderud.pw>
makepkg assumes that the remote git repo is named "origin" at several
places in its handling of git sources. It is possible to set the remote
repo name since git v2.30.0 (with bug fix for bare checkouts in v2.30.2).
Add "--origin=origin" to all git clone commands.
Signed-off-by: Allan McRae <allan@archlinux.org>
This feature makes bzr VCS build inputs immutable by adding support for
pinning a bzr checkout by a hash of its content using the deterministic
export functionality `bzr export`.
This feature allows to preserve security implications of immutable build inputs
using a trusted cryptographic hash function of the content.
Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
This feature makes Mercurial VCS build inputs immutable by adding
support for pinning a Mercurial checkout by a hash of its content using
the deterministic export functionality `hg archive`.
This feature aids packagers by allowing them to use simple and
convenient refnames (instead of full commit hashes) in the `PKGBUILD`
while still preserving security implications of immutable build inputs
using a trusted cryptographic hash function of the content.
Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
This feature makes Git VCS build inputs immutable by adding support for
pinning a Git checkout by a hash of its content using the deterministic
export functionality `git archive`.
This feature aids packagers by allowing them to use simple and
convenient refnames (instead of full commit hashes) in the `PKGBUILD`
while still preserving security implications of immutable build inputs
using a trusted cryptographic hash function of the content.
Previously VCS source downloads have been skipped for `--geninteg` and
`--source` as both options did not need a checkout. This commit changes
this behavior by forcing the download of all sources as integrity checks
and generation requires to have an up to date state.
Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
Move rust related buildflags to their own configuration file to
provide an example of how other languages could be supported.
Signed-off-by: Allan McRae <allan@archlinux.org>
When 'options=('!buildflags') is used, we want to ensure our
buildflags are cleared first. Currently this happens due to luck
of alphabetical ordering, but this could change with libmakepkg
drop-ins.
Signed-off-by: Allan McRae <allan@archlinux.org>
When package software with debug symbols without stripping, we should
still process the files with debugedit and include the needed source
files in the package.
Signed-off-by: Allan McRae <allan@archlinux.org>
Bash-5.2 introduced the patsub_replacement shell option, which is enabled
by default. Apparently is it supposed to handle a sed-like idiom, but
what it does achieve is making any substitution involving a "&" requiring
special care.
For makepkg's DLAGENTS, we replace "%o" and "%u" if present. Any "&" in
the replacement fields triggers patsub_replacement unless quoted. This is
particularly important for the URL field.
Add relevant quotes to avoid issues.
Signed-off-by: Allan McRae <allan@archlinux.org>
`.o` objects used to be omitted by strip.sh due to a missing match in
the `Relocatable file` section. This patch fixes the issue by handling
`.o` objects similar to kernel modules.
fixes FS#74941
Signed-off-by: Allan McRae <allan@archlinux.org>
`${pkgbase}` was added to the wrong invocation. This ensures we are
producing correct debug packages.
Example from the package:
/usr/src/debug/pacman/pacman-6.0.2/src/pacman/callback.c
/usr/src/debug/pacman/pacman-6.0.2/src/pacman/callback.h
/usr/src/debug/pacman/pacman-6.0.2/src/pacman/check.c
/usr/src/debug/pacman/pacman-6.0.2/src/pacman/check.h
Fixes: 776b7c1e75 ("debugflags: Ensure we have unique source paths")
Signed-off-by: Morten Linderud <morten@linderud.pw>
Signed-off-by: Allan McRae <allan@archlinux.org>
The debugedit call to list all source files may include things like
build/<...>. We have been filtering out these <> files, but they can
point to the build directory which is important to be available for
relative source paths stored in the .debug files.
Signed-off-by: Allan McRae <allan@archlinux.org>
Bash 5.2 has a new globskipdots option, which is enabled by default. The
check_dotfiles lint fails with globskipdots due to the assumption that
at least the "." and ".." paths will match. Disabling globskipdots would
be the usual solution, but that fails on bash<5.2. Instead, enable
nullglob for this check.
Signed-off-by: Allan McRae <allan@archlinux.org>
Commit e017a5975c introduced the GITFLAGS
environmental variable. While ensuring the default of "--mirror" was
kept, there was a capitalisation mistake made. Handle the default for
GITFLAGS directly in the git clone command.
The default flag used to clone a git repository when using makepkg
is "--mirror". However, when working with huge repositories, the use
of different flags during cloning can allow an faster checkout. For
example, using "--filter=blob:none" allows for small checkouts, at
the expense of requiring downloads during the build stage if anything
but the HEAD commit is used for the build. In addition, this example
would serve as a replacement for the often requested (but broken)
addition of --depth=1.
Add support for the environment variable GITFLAG to pass flags for
the git clone command. Note that this overrides the default rather
than adding to it in order to prevent incompatibilities.
In some cases packages are built outside of a directory which contains
pkgname-pkgver, this results in source listing in debug packages having
a conflicting path like `/usr/src/debug/build/` which is not ideal.
This patch ensures we always include the pkgbase to ensure the paths are
unique.
Signed-off-by: Morten Linderud <morten@linderud.pw>
Signed-off-by: Allan McRae <allan@archlinux.org>
We use a multi step process during stripping to ensure permissions do
not get changed. However, if the initial objcopy fails, the subsequent cat
results in a blank file. Abandon early if objcopy fails.
Fixes FS#74486
Signed-off-by: Allan McRae <allan@archlinux.org>
We want to use -flto=auto in Arch Linux to speed up building, but we
can't hardcode it in buildenv/lto.sh because other downstreams might
have clang < 13.0.0 which did not recognize -flto=auto as equivalent
to -flto=full.
Introducing an LTOFLAGS variable to makepkg.conf seems the way to go.
Signed-off-by: Allan McRae <allan@archlinux.org>
This moves us from the fairly ugly AWK parsing line to debugedit which
originally comes out of the rpm project.
The original code has issues parsing anything that was not straight
C/C++ and languages like Rust or Go would return invalid source code
files. debugedit handles all these cases better.
Fixes FS#66755
Fixes FS#66888
Fixes FS#65677
Signed-off-by: Morten Linderud <morten@linderud.pw>
Signed-off-by: Allan McRae <allan@archlinux.org>
>From gcc(1):
-ffile-prefix-map=old=new
[...] Specifying this option is equivalent to specifying all the
individual -f*-prefix-map options. This can be used to make reproducible
builds that are location independent.
Specifically, this additionally enables -fmacro-prefix-map=, which causes
prefix mapping to be applied to expansions of __FILE__ and similar macros.
Without this option, if source files are compiled by passing the
absolute file path to the compiler (as done by e.g. cmake), any
expansions of __FILE__ (e.g. from uses of assert()) will contain
$srcdir.
Signed-off-by: Allan McRae <allan@archlinux.org>
Add linked libraries to a packages dependency list. This is the partner
to automatically generated library provides, and thus depends take the
same format. To help with bootstrapping, library dependencies are only
added if the relevant provide exists.
Signed-off-by: Allan McRae <allan@archlinux.org>
When the option "autodeps" is enabled, makepkg will add provides
entries for libraries found in the directories specified in LIB_DIRS
in makepkg.conf. The entries LIB_DIRS array have the format
"prefix:directory". For example, the entry "lib:usr/lib" will search
$pkgdir/usr/lib for library sonames and add "lib:libfoo.so.1" to the
provides array.
Signed-off-by: Allan McRae <allan@archlinux.org>
GCC automatically detects when it is linking LTO objects, but clang does
not. Add -flto to LDFLAGS to make this work for clang too.
Signed-off-by: Allan McRae <allan@archlinux.org>
Arch Linux has been setting PYTHONHASHSEED=0 to create deterministic
.pyc files. After a thorough review by the Arch Security Team, setting
this variable was determined not to generated vulnerable .pyc files, as
when the loader loads the .pyc file and unmarshalls it, the internal
runtime will just populate the unordered data structures and use a new
runtime hash for them.
Signed-off-by: Allan McRae <allan@archlinux.org>
We usually set this up to default to the build time configured install
location, but a couple of files crept in without this.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
Binutils commit 93df3340fd5ad32f784214fc125de71811da72ff enabled readelf
to report "Position-Independent Executable" files. Fix stripping to
account for this change.
Signed-off-by: Allan McRae <allan@archlinux.org>
readelf --debug-dump sometimes reports inscrutable warnings which don't
actually affect our extraction of source filenames. For example:
readelf: Warning: There is a hole [0xd3d - 0xd89] in .debug_loc section.
Now gcc 11 seems to have dramatically increased the number of warnings:
readelf: Warning: Corrupt offset (0x0000008e) in range entry 9
[...]
readelf: Warning: Corrupt offset (0x000010f0) in range entry 250
The resulting debuginfo created by the very same toolchain works fine,
as does the list of source filenames. But the warnings are quite
noisy... send them to /dev/null since they are not actionable in the
context of getting source files
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
If specified, this will be used no matter what. If not, then we check if
sudo exists and use that, or else fall back on su.
Implements FS#32621
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
Broken via refactoring in commit aa6fe1160b
but for obvious reasons only one person in the last 9 years has ever
actually tried to do this. Still, it's technically correct to allow it.
Fixes FS#70254
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
