diff options
author | Jelle van der Waa <jelle@archlinux.org> | 2023-01-02 15:16:29 +0100 |
---|---|---|
committer | Levente Polyak <anthraxx@archlinux.org> | 2023-03-19 21:57:30 +0100 |
commit | 9297eb344e997b716ee3de9f17c7ebb33cd1791d (patch) | |
tree | ab5eaa6fce2b750aa8e5df09211f4350a4202c8b /src/commitpkg.in | |
parent | b34814419dff4c266201c7ee2402bdf9648c6078 (diff) | |
download | devtools-9297eb344e997b716ee3de9f17c7ebb33cd1791d.tar.xz |
commitpkg: disallow weak hashing algorithms
Do not allow uploads of source=() with only weak cryptographic hashing
algorithms but require at least one strong algorithm.
This doesn't 100% enforce it ofcourse, but it allows for an early
failure instead of failing in `db-update`.
Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
Diffstat (limited to 'src/commitpkg.in')
-rw-r--r-- | src/commitpkg.in | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/src/commitpkg.in b/src/commitpkg.in index ef30544..6b9d727 100644 --- a/src/commitpkg.in +++ b/src/commitpkg.in @@ -4,6 +4,33 @@ m4_include(lib/common.sh) +check_pkgbuild_validity() { + # shellcheck source=contrib/makepkg/PKGBUILD.proto + . ./PKGBUILD + + # skip when there are no sources available + if (( ! ${#source[@]} )); then + return + fi + + # validate sources hash algo is at least > sha1 + local bad_algos=("cksums" "md5sums" "sha1sums") + local good_hash_algo=false + + # from makepkg libmakepkg/util/schema.sh + for integ in "${known_hash_algos[@]}"; do + local sumname="${integ}sums" + if [[ -n ${!sumname} ]] && ! in_array "${sumname}" "${bad_algos[@]}"; then + good_hash_algo=true + break + fi + done + + if ! $good_hash_algo; then + die "PKGBUILD lacks a secure cryptographic checksum, insecure algorithms: ${bad_algos[*]}" + fi +} + # Source makepkg.conf; fail if it is not found if [[ -r '/etc/makepkg.conf' ]]; then # shellcheck source=config/makepkg/x86_64.conf @@ -121,6 +148,9 @@ for _arch in "${arch[@]}"; do fi done +# check for PKGBUILD standards +check_pkgbuild_validity + if [[ -z $server ]]; then server='repos.archlinux.org' fi |