From fd6e801cfb0910c00a789c6b3f17461d8610c99b Mon Sep 17 00:00:00 2001 From: Levente Polyak Date: Fri, 13 Sep 2019 21:17:20 +0200 Subject: commitpkg: disallow if PKGBUILD hash mismatches package's enclosed hash Several cases showed that we release packages that were built with different PKGBUILDs than the one commited to the source tree. This is bad for obvious reasons plus sploils reproducible builds. We, under no circumstances, want to allow using commitpkg to publish and release a packages whose PKGBUILD doesn't match the one to be commited. Signed-off-by: Levente Polyak --- commitpkg.in | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/commitpkg.in b/commitpkg.in index 08f2b97..d55ce37 100644 --- a/commitpkg.in +++ b/commitpkg.in @@ -83,7 +83,7 @@ while getopts ':l:a:s:f' flag; do done shift $(( OPTIND - 1 )) -# check packages have the packager field set +# check packages for validity for _arch in "${arch[@]}"; do if [[ -n $commit_arch && ${_arch} != "$commit_arch" ]]; then continue @@ -95,6 +95,11 @@ for _arch in "${arch[@]}"; do if grep -q "packager = Unknown Packager" <(bsdtar -xOqf "$pkgfile" .PKGINFO); then die "PACKAGER was not set when building package" fi + hashsum=sha256sum + pkgbuild_hash=$(awk -v"hashsum=$hashsum" -F' = ' '$1 == "pkgbuild_"hashsum {print $2}' <(bsdtar -xOqf "$pkgfile" .BUILDINFO)) + if [[ "$pkgbuild_hash" != "$($hashsum PKGBUILD|cut -d' ' -f1)" ]]; then + die "PKGBUILD $hashsum mismatch: expected $pkgbuild_hash" + fi fi done done -- cgit v1.2.3-70-g09d2