diff options
| author | Levente Polyak <anthraxx@archlinux.org> | 2019-09-13 21:17:20 +0200 |
|---|---|---|
| committer | Levente Polyak <anthraxx@archlinux.org> | 2019-09-28 00:16:04 +0200 |
| commit | fd6e801cfb0910c00a789c6b3f17461d8610c99b (patch) | |
| tree | 72bb30fb74dcd634ac79baa1a7e26eecc056cfa9 | |
| parent | a3868cf5423d68a3614020376840a67da3a6f0d4 (diff) | |
| download | devtools32-fd6e801cfb0910c00a789c6b3f17461d8610c99b.tar.xz | |
commitpkg: disallow if PKGBUILD hash mismatches package's enclosed hash
Several cases showed that we release packages that were built with
different PKGBUILDs than the one commited to the source tree. This is
bad for obvious reasons plus sploils reproducible builds.
We, under no circumstances, want to allow using commitpkg to publish and
release a packages whose PKGBUILD doesn't match the one to be commited.
Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
| -rw-r--r-- | commitpkg.in | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/commitpkg.in b/commitpkg.in index 08f2b97..d55ce37 100644 --- a/commitpkg.in +++ b/commitpkg.in @@ -83,7 +83,7 @@ while getopts ':l:a:s:f' flag; do done shift $(( OPTIND - 1 )) -# check packages have the packager field set +# check packages for validity for _arch in "${arch[@]}"; do if [[ -n $commit_arch && ${_arch} != "$commit_arch" ]]; then continue @@ -95,6 +95,11 @@ for _arch in "${arch[@]}"; do if grep -q "packager = Unknown Packager" <(bsdtar -xOqf "$pkgfile" .PKGINFO); then die "PACKAGER was not set when building package" fi + hashsum=sha256sum + pkgbuild_hash=$(awk -v"hashsum=$hashsum" -F' = ' '$1 == "pkgbuild_"hashsum {print $2}' <(bsdtar -xOqf "$pkgfile" .BUILDINFO)) + if [[ "$pkgbuild_hash" != "$($hashsum PKGBUILD|cut -d' ' -f1)" ]]; then + die "PKGBUILD $hashsum mismatch: expected $pkgbuild_hash" + fi fi done done |