diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/commitpkg.in | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/src/commitpkg.in b/src/commitpkg.in index ef30544..6b9d727 100644 --- a/src/commitpkg.in +++ b/src/commitpkg.in @@ -4,6 +4,33 @@ m4_include(lib/common.sh) +check_pkgbuild_validity() { + # shellcheck source=contrib/makepkg/PKGBUILD.proto + . ./PKGBUILD + + # skip when there are no sources available + if (( ! ${#source[@]} )); then + return + fi + + # validate sources hash algo is at least > sha1 + local bad_algos=("cksums" "md5sums" "sha1sums") + local good_hash_algo=false + + # from makepkg libmakepkg/util/schema.sh + for integ in "${known_hash_algos[@]}"; do + local sumname="${integ}sums" + if [[ -n ${!sumname} ]] && ! in_array "${sumname}" "${bad_algos[@]}"; then + good_hash_algo=true + break + fi + done + + if ! $good_hash_algo; then + die "PKGBUILD lacks a secure cryptographic checksum, insecure algorithms: ${bad_algos[*]}" + fi +} + # Source makepkg.conf; fail if it is not found if [[ -r '/etc/makepkg.conf' ]]; then # shellcheck source=config/makepkg/x86_64.conf @@ -121,6 +148,9 @@ for _arch in "${arch[@]}"; do fi done +# check for PKGBUILD standards +check_pkgbuild_validity + if [[ -z $server ]]; then server='repos.archlinux.org' fi |