summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLevente Polyak <anthraxx@archlinux.org>2019-09-13 21:17:20 +0200
committerLevente Polyak <anthraxx@archlinux.org>2019-09-28 00:16:04 +0200
commitfd6e801cfb0910c00a789c6b3f17461d8610c99b (patch)
tree72bb30fb74dcd634ac79baa1a7e26eecc056cfa9
parenta3868cf5423d68a3614020376840a67da3a6f0d4 (diff)
downloaddevtools-fd6e801cfb0910c00a789c6b3f17461d8610c99b.tar.xz
commitpkg: disallow if PKGBUILD hash mismatches package's enclosed hash
Several cases showed that we release packages that were built with different PKGBUILDs than the one commited to the source tree. This is bad for obvious reasons plus sploils reproducible builds. We, under no circumstances, want to allow using commitpkg to publish and release a packages whose PKGBUILD doesn't match the one to be commited. Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
-rw-r--r--commitpkg.in7
1 files changed, 6 insertions, 1 deletions
diff --git a/commitpkg.in b/commitpkg.in
index 08f2b97..d55ce37 100644
--- a/commitpkg.in
+++ b/commitpkg.in
@@ -83,7 +83,7 @@ while getopts ':l:a:s:f' flag; do
done
shift $(( OPTIND - 1 ))
-# check packages have the packager field set
+# check packages for validity
for _arch in "${arch[@]}"; do
if [[ -n $commit_arch && ${_arch} != "$commit_arch" ]]; then
continue
@@ -95,6 +95,11 @@ for _arch in "${arch[@]}"; do
if grep -q "packager = Unknown Packager" <(bsdtar -xOqf "$pkgfile" .PKGINFO); then
die "PACKAGER was not set when building package"
fi
+ hashsum=sha256sum
+ pkgbuild_hash=$(awk -v"hashsum=$hashsum" -F' = ' '$1 == "pkgbuild_"hashsum {print $2}' <(bsdtar -xOqf "$pkgfile" .BUILDINFO))
+ if [[ "$pkgbuild_hash" != "$($hashsum PKGBUILD|cut -d' ' -f1)" ]]; then
+ die "PKGBUILD $hashsum mismatch: expected $pkgbuild_hash"
+ fi
fi
done
done