summaryrefslogtreecommitdiff
path: root/commitpkg.in
diff options
context:
space:
mode:
authorLevente Polyak <anthraxx@archlinux.org>2019-09-13 21:17:20 +0200
committerLevente Polyak <anthraxx@archlinux.org>2019-09-28 00:16:04 +0200
commitfd6e801cfb0910c00a789c6b3f17461d8610c99b (patch)
tree72bb30fb74dcd634ac79baa1a7e26eecc056cfa9 /commitpkg.in
parenta3868cf5423d68a3614020376840a67da3a6f0d4 (diff)
downloaddevtools32-fd6e801cfb0910c00a789c6b3f17461d8610c99b.tar.xz
commitpkg: disallow if PKGBUILD hash mismatches package's enclosed hash
Several cases showed that we release packages that were built with different PKGBUILDs than the one commited to the source tree. This is bad for obvious reasons plus sploils reproducible builds. We, under no circumstances, want to allow using commitpkg to publish and release a packages whose PKGBUILD doesn't match the one to be commited. Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
Diffstat (limited to 'commitpkg.in')
-rw-r--r--commitpkg.in7
1 files changed, 6 insertions, 1 deletions
diff --git a/commitpkg.in b/commitpkg.in
index 08f2b97..d55ce37 100644
--- a/commitpkg.in
+++ b/commitpkg.in
@@ -83,7 +83,7 @@ while getopts ':l:a:s:f' flag; do
done
shift $(( OPTIND - 1 ))
-# check packages have the packager field set
+# check packages for validity
for _arch in "${arch[@]}"; do
if [[ -n $commit_arch && ${_arch} != "$commit_arch" ]]; then
continue
@@ -95,6 +95,11 @@ for _arch in "${arch[@]}"; do
if grep -q "packager = Unknown Packager" <(bsdtar -xOqf "$pkgfile" .PKGINFO); then
die "PACKAGER was not set when building package"
fi
+ hashsum=sha256sum
+ pkgbuild_hash=$(awk -v"hashsum=$hashsum" -F' = ' '$1 == "pkgbuild_"hashsum {print $2}' <(bsdtar -xOqf "$pkgfile" .BUILDINFO))
+ if [[ "$pkgbuild_hash" != "$($hashsum PKGBUILD|cut -d' ' -f1)" ]]; then
+ die "PKGBUILD $hashsum mismatch: expected $pkgbuild_hash"
+ fi
fi
done
done