Bailing early caused problems with makepkg failing on verify but expired
signatures. As this is often out of the packagers control, and it is
better to verify a signature than not, we try bailing as late as possible
and let makepkg warn about the expired signature.
Signed-off-by: Allan McRae <allan@archlinux.org>
Guile 2.2 uses ELF format for its byte-compiled files. These are not
normal executables, and are not strippable in the normal sense.
Given these are ELF files and detected by "file" as non-stripped binaries,
it is only possible to skip these using the file path.
Fixes#73
Signed-off-by: Allan McRae <allan@archlinux.org>
To ensure we are not dropping the return code of the `gpg` call due to
piping into `grep`, we make use of `PIPESTATUS` to check the return code
of each command separately.
Additionally, we can now distinguish between two states: The signature
does not verify (e.g. due to technical reasons) and the signature is
not trusted.
Signed-off-by: David Runge <dvzrv@archlinux.org>
Move the check for the `NEWSIG` metadata keyword contained in the
GnuPG based statusfile to `parse_gpg_statusfile()` so that it is also
run when creating the statusfile in `verify_file_signature()` and not
only when running `verify_git_signature()`.
Signed-off-by: David Runge <dvzrv@archlinux.org>
The output of
`gpg --quiet --batch --status-fd /dev/stdout --verify <signature_file> <file> 2> /dev/null`
or
`git verify-commit --raw <commit> 2>&1`
may contain binary data, if the signature has been created with an
OpenPGP implementation, that e.g. makes use of notations.
If the notation string (see `NOTATION_DATA` in /usr/share/doc/gnupg/
DETAILS) contains a trailing binary char, this will break signature
verification, as any following entry (e.g. `VALIDSIG`) will be offset.
As we are only making use of a narrow set of terms from the statusfile
(namely `NEWSIG`, `GOODSIG`, `EXPSIG`, `EXPKEYSIG`, `REVKEYSIG`,
`BADSIG`, `ERRSIG`, `VALIDSIG`, `TRUST_UNDEFINED`, `TRUST_NEVER`,
`TRUST_MARGINAL`, `TRUST_FULLY`, `TRUST_ULTIMATE`), we are applying a
filter, so that only understood terms are written to the file.
Signed-off-by: David Runge <dvzrv@archlinux.org>
Emit an early error message if tag or commit verification with git or
detached signature verification with gpg fails.
Make `verify_file_signature()` and `verify_git_signature()` return
non-zero in this case and set errors to `1`, so that later checks
in `check_pgpsigs()`, although still run, can not lead to a positive
result.
Signed-off-by: David Runge <dvzrv@archlinux.org>
Move the checks for software and gpg signing ability to after the
fakeroot section so that it is only executed once. This also fixes
gpg (lack of) interaction under fakeroot.
Fixes#69
Signed-off-by: Allan McRae <allan@archlinux.org>
.a files are not valid ELF files so we can't run objcopy nor debugedit
on them.
Rename STRIPLTO to STATICLIB to be more descriptive.
Signed-off-by: Morten Linderud <morten@linderud.pw>
Some projects might duplicate the file in multiple locations for one
reason or another. When debug packages are enabled, `makepkg` will only
strip the first occurrence of the binary and abort early on all the
other binaries.
Signed-off-by: Morten Linderud <morten@linderud.pw>
During a package build we call prepare_buildenv in multiple stages of
the process. For debug packages, one of the hooks is buildenv_debugflags
which populates the debug flags to the according variables.
The issue is that the behavior of the current implementation of
buildenv_debugflags is not idempotent, so consecutive calls will append
the same flags again. In certain cases this isn't an issue, however
for context aware build frontends like cargo any change of the build
inputs leads to a fresh build. This means that any invocation of such
a build ecosystem inside the package() function will trigger a full
rebuild, which is not desired.
To fix this issue, this commit makes buildenv_debugflags idempotent
by only appending flags once to the target variables.
Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
Currently, the file glob used to clean the $srcdir misses dotfiles.
This commit instead removes the directory entirely and recreates it.
Since the directory has to exist prior to deletion, the creation commands
are duplicated. Perhaps they could be moved to a function later on.
The directory cannot be removed while inside it, so the directory change
is moved down the line. One important insight here is that almost all functions
after it are actually independent of $pwd, allowing the optimization of just
not changing directory. They do however depend on the existence of $srcdir, so
it has to be recreated.
The only exception to this is `extract_sources` which depends on $pwd being $srcdir.
An alternative proposal wanted to extend the file matching for deletion, but it
was deemed impractical.
This patch implements a new verify function in makepkg. It allows us to
do arbitrary authentication on sources before extraction.
There are several new signing and validation methods being implemented
and it would be hard to have `makepkg` implement support for things such
as sequoia, cosign or minisign. This would allow us to distribute
generic validation functions.
Signed-off-by: Morten Linderud <morten@linderud.pw>
Clarify if repo-add does not create a new database due to failures
or due to there being nothing to do.
Signed-off-by: Allan McRae <allan@archlinux.org>
This is similar to -C in git/make/nina. Sadly -C is already taken for
us.
This is useful for scripts where you for loop over packages, as well as
when I'm testing makepkg builds and I'm too lazy to cd.
makepkg assumes that the remote git repo is named "origin" at several
places in its handling of git sources. It is possible to set the remote
repo name since git v2.30.0 (with bug fix for bare checkouts in v2.30.2).
Add "--origin=origin" to all git clone commands.
Signed-off-by: Allan McRae <allan@archlinux.org>
This feature makes bzr VCS build inputs immutable by adding support for
pinning a bzr checkout by a hash of its content using the deterministic
export functionality `bzr export`.
This feature allows to preserve security implications of immutable build inputs
using a trusted cryptographic hash function of the content.
Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
This feature makes Mercurial VCS build inputs immutable by adding
support for pinning a Mercurial checkout by a hash of its content using
the deterministic export functionality `hg archive`.
This feature aids packagers by allowing them to use simple and
convenient refnames (instead of full commit hashes) in the `PKGBUILD`
while still preserving security implications of immutable build inputs
using a trusted cryptographic hash function of the content.
Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
This feature makes Git VCS build inputs immutable by adding support for
pinning a Git checkout by a hash of its content using the deterministic
export functionality `git archive`.
This feature aids packagers by allowing them to use simple and
convenient refnames (instead of full commit hashes) in the `PKGBUILD`
while still preserving security implications of immutable build inputs
using a trusted cryptographic hash function of the content.
Previously VCS source downloads have been skipped for `--geninteg` and
`--source` as both options did not need a checkout. This commit changes
this behavior by forcing the download of all sources as integrity checks
and generation requires to have an up to date state.
Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
Move rust related buildflags to their own configuration file to
provide an example of how other languages could be supported.
Signed-off-by: Allan McRae <allan@archlinux.org>
When 'options=('!buildflags') is used, we want to ensure our
buildflags are cleared first. Currently this happens due to luck
of alphabetical ordering, but this could change with libmakepkg
drop-ins.
Signed-off-by: Allan McRae <allan@archlinux.org>
There are two strings that may be singular or plural in pacman-key.
Use ngettext to handle these strings correctly, and provide a fallback
function if it is not available.
Fixes FS#70556.
Signed-off-by: Allan McRae <allan@archlinux.org>
The function _keys is a bit generic and can result in clashes. Change
other functions starting with _key_ to be _pacman_key_ as well.
Fixes FS#74507.
Signed-off-by: Allan McRae <allan@archlinux.org>
Commit 4f43ce3e4a broke repo-add by
switching to parseopts without accounting for the added "--". This caused
the dbname to always be read as "--".
Accounts for "--" and makes repo-add respect "--" as end of opts.
When package software with debug symbols without stripping, we should
still process the files with debugedit and include the needed source
files in the package.
Signed-off-by: Allan McRae <allan@archlinux.org>
Bash-5.2 introduced the patsub_replacement shell option, which is enabled
by default. Apparently is it supposed to handle a sed-like idiom, but
what it does achieve is making any substitution involving a "&" requiring
special care.
For makepkg's DLAGENTS, we replace "%o" and "%u" if present. Any "&" in
the replacement fields triggers patsub_replacement unless quoted. This is
particularly important for the URL field.
Add relevant quotes to avoid issues.
Signed-off-by: Allan McRae <allan@archlinux.org>
md5sums are cryptographically broken and we supply sha256sums to verify
files on a users system have not been modified from the packaged version.
Signed-off-by: Allan McRae <allan@archlinux.org>
Keeping md5sums in the repo databases no longer serves a real purpose.
md5sums are no longer considered secure, and we already have sha256sums
in the repos (along with PGP verification).
Signed-off-by: Allan McRae <allan@archlinux.org>
`.o` objects used to be omitted by strip.sh due to a missing match in
the `Relocatable file` section. This patch fixes the issue by handling
`.o` objects similar to kernel modules.
fixes FS#74941
Signed-off-by: Allan McRae <allan@archlinux.org>
`${pkgbase}` was added to the wrong invocation. This ensures we are
producing correct debug packages.
Example from the package:
/usr/src/debug/pacman/pacman-6.0.2/src/pacman/callback.c
/usr/src/debug/pacman/pacman-6.0.2/src/pacman/callback.h
/usr/src/debug/pacman/pacman-6.0.2/src/pacman/check.c
/usr/src/debug/pacman/pacman-6.0.2/src/pacman/check.h
Fixes: 776b7c1e75 ("debugflags: Ensure we have unique source paths")
Signed-off-by: Morten Linderud <morten@linderud.pw>
Signed-off-by: Allan McRae <allan@archlinux.org>
The debugedit call to list all source files may include things like
build/<...>. We have been filtering out these <> files, but they can
point to the build directory which is important to be available for
relative source paths stored in the .debug files.
Signed-off-by: Allan McRae <allan@archlinux.org>
Bash 5.2 has a new globskipdots option, which is enabled by default. The
check_dotfiles lint fails with globskipdots due to the assumption that
at least the "." and ".." paths will match. Disabling globskipdots would
be the usual solution, but that fails on bash<5.2. Instead, enable
nullglob for this check.
Signed-off-by: Allan McRae <allan@archlinux.org>
