From f7d122044b42b6f296e38dcd37d458d58f33612d Mon Sep 17 00:00:00 2001 From: Morten Linderud Date: Sat, 30 May 2020 01:59:58 +0200 Subject: archrelease: ensure we check the checksum of the package Signed-off-by: Morten Linderud --- src/archrelease.in | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'src') diff --git a/src/archrelease.in b/src/archrelease.in index e80271b..55d3726 100644 --- a/src/archrelease.in +++ b/src/archrelease.in @@ -42,6 +42,17 @@ if git rev-parse "$pkgver" >/dev/null 2>&1; then die "archrelease: the tag $pkgver already exists in the repository!" fi +# If the tag exists we check if it's properly signed and that it +# matches the working directory PKGBUILD. +if git tag --verify "$pkgver" &> /dev/null; then + cwd_checksum=$(sha256sum PKGBUILD|cut -d' ' -f1) + tag_checksum=$(git show $pkgver:PKGBUILD | sha256sum |cut -d' ' -f1) + if [[ "$cwd_checksum" != "$tag_checksum" ]]; then + die "tagged PKGBUILD is not the same as the working dir PKGBUILD" + fi + exit 0 +fi + stat_busy "Releasing package" printf -v tag_list ", %s" "$@"; tag_list="${tag_list#, }" git tag -s -m "archrelease: released $pkgbase-$pkgver to $tag_list" "$pkgver" || abort -- cgit v1.2.3-70-g09d2