From fd6e801cfb0910c00a789c6b3f17461d8610c99b Mon Sep 17 00:00:00 2001
From: Levente Polyak <anthraxx@archlinux.org>
Date: Fri, 13 Sep 2019 21:17:20 +0200
Subject: commitpkg: disallow if PKGBUILD hash mismatches package's enclosed
 hash

Several cases showed that we release packages that were built with
different PKGBUILDs than the one commited to the source tree. This is
bad for obvious reasons plus sploils reproducible builds.

We, under no circumstances, want to allow using commitpkg to publish and
release a packages whose PKGBUILD doesn't match the one to be commited.

Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
---
 commitpkg.in | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'commitpkg.in')

diff --git a/commitpkg.in b/commitpkg.in
index 08f2b97..d55ce37 100644
--- a/commitpkg.in
+++ b/commitpkg.in
@@ -83,7 +83,7 @@ while getopts ':l:a:s:f' flag; do
 done
 shift $(( OPTIND - 1 ))
 
-# check packages have the packager field set
+# check packages for validity
 for _arch in "${arch[@]}"; do
 	if [[ -n $commit_arch && ${_arch} != "$commit_arch" ]]; then
 		continue
@@ -95,6 +95,11 @@ for _arch in "${arch[@]}"; do
 			if grep -q "packager = Unknown Packager" <(bsdtar -xOqf "$pkgfile" .PKGINFO); then
 				die "PACKAGER was not set when building package"
 			fi
+			hashsum=sha256sum
+			pkgbuild_hash=$(awk -v"hashsum=$hashsum" -F' = ' '$1 == "pkgbuild_"hashsum {print $2}' <(bsdtar -xOqf "$pkgfile" .BUILDINFO))
+			if [[ "$pkgbuild_hash" != "$($hashsum PKGBUILD|cut -d' ' -f1)" ]]; then
+				die "PKGBUILD $hashsum mismatch: expected $pkgbuild_hash"
+			fi
 		fi
 	done
 done
-- 
cgit v1.2.3-54-g00ecf