Age | Commit message (Collapse) | Author |
|
In 42e7020281d3ae260e1e9693495f527b7f476625 creating the gpg statusfile
for a source file was split into a separate function, which used the
return code to indicate unsigned files and proto-specific errors.
However, the fallback return code was set by the final gpg invocation,
which would be 1 if the signature was somehow broken (for example, the
key was not available in the gpg keyring). As a result makepkg thought
that file did not have a signature and skipped over it rather than
erroring out.
Fix this by explicitly setting the return code for all
verify_*_signature() functions.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
In commit 8b0d59b83a60eb504567590346119fe4cd891cad support was added for
storing the source files of binaries in debug packages. This made use of
the debugedit program which is part of the RPM package manager, which is
not very standalone.
The same effect can be achieved using -fdebug-prefix-map, an option
accepted by both the gcc and clang compilers which modifies how the
compiler itself stores the references to the source files rather than
requiring us to later edit the produced binaries. This also removes the
dependency on external programs like debugedit.
As a result of this change, source files will only be effectively added
for programs which actually use the exported CFLAGS. This is a reasonable
tradeoff as we expect our CFLAGS to be used rather than ignored. Upstream
software which do not produce useful debug packages are expected to fix
their build systems to respect the environment CFLAGS.
As a result of this change, the routine for extracting source filenames
from binaries had to be modified to derive the source file from the
final debug location, rather than the other way around.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
In commit 8b0d59b83a60eb504567590346119fe4cd891cad support was added for
storing the source files of binaries in debug packages. Allow the user
to specify where those source files should be stored via makepkg.conf
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
This allows for more easily extending the list of allowed compression
methods, as it has to be modified in only one place.
Also allow the user to specify their own preferred command + options for
source packages in addition to compiled packages. Currently,
makepkg.conf(5) erroneously claims this is already possible.
|
|
Prior to commit aca153bfa6b1bcd828f0b35db453bb9fea6a08bf some .sh files
were not generated and simply included directly, and it was necessary to
explicitly iterate all ignored files to prevent git from ignoring the
directly-included files. However, now all .sh files are in fact
generated so it makes no sense to list each one separately in the
.gitignore file.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
The extra variables on the commandline were inconsistently applied. They
should override anything else, instead, most were overridden by
environment variables with the exception of BUILDDIR (and this was not
sanity-checked to see if it had write permissions).
e.g. given the commandline:
`PKGDEST="$(pwd)"` BUILDDIR="$(pwd)" makepkg PKGDEST=/doesnt/exist BUILDDIR=/doesnt/exist`
We would incorrectly use the current working directory for PKGDEST.
Meanwhile, we checked the wrong directory for BUILDDIR, and later
errored when we tried to create $srcdir inside the non-writable
directory "/doesnt/exist".
In order to fix this, use the preferred bash builtin for saving variable
definitions, similar to how we restore traps etc. rather than tediously
redefining each one by hand, and restore this immediately after
makepkg.conf is sourced. Finally, the `make`-style commandline overrides
are applied.
Also canonicalize_path is applied only on the final paths we try to use.
While it is unlikely the value in makepkg.conf will be a relative path,
since we now properly respect commandline overrides, they should be
canonicalized as well.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
For your convenience, makepkg now has 16 distinct ways to fail.
Also closes FS#54204.
Signed-off-by: Ivy Foster <iff@escondida.tk>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
The leading directory is distraction from identifying the files containing
build references.
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Not all sed implementations on linux accept the --follow-symlinks
argument, so let the user configure the arguments passed to sed if
required.
Signed-off-by: Alastair Hughes <hobbitalastair@gmail.com>
[Allan: fixed configure summary output]
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
If SOURCE_DATE_EPOCH is set, `touch` all source files between the (optional)
prepare() and build() functions to unify the modification times. This works
around build systems and compilers that embed the file modification times
into the file contents of release artifacts.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
As per https://lists.archlinux.org/pipermail/arch-general/2017-July/043876.html
git doesn't check that the tag name matches what an annotated tag object
*thinks* it should be called. This is a bit of a theoretical attack and
some would argue that we should always use commits since upstream can
legitimately change a tag, but nevertheless this can result in a
downgrade attack if the git download transport was manipulated or the
upstream repository hacked.
So, check the tag blob to make sure the tag actually matches the name we
used for `git checkout`.
This really should be fixed in git itself, rather than forcing all
downstream users of git verify-tag to implement their own checks, but
the git developers disagree, see the discussion surrounding
https://public-inbox.org/git/xmqqk2hzldx8.fsf@gitster.mtv.corp.google.com/
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
The .BUILDINFO file should retain all the information needed to reproducibly
build a package. Add some extra information to the file and also provide a
version number to keep track of future changes.
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
In write_pkginfo, we checked if $PACKAGER was undefined, and gave a default
value if not. Just do this upfront to simplify this function.
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
There is little savings in only writing pkgbase when different to pkgname, and
it makes determining the pkgbase by parsing .PKGINFO slightly easier. Lets just
write it...
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Since 8a02abcf19, this attribute will never exist. Remove check to write it.
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Signed-off-by: Eli Schwartz <eschwartz93@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Signed-off-by: Eli Schwartz <eschwartz93@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
There were a couple places where filenames beginning with "-" were not
properly guarded against by passing them after "--". Some PKGBUILD
authors are crazy, but we still take those into account.
Signed-off-by: Eli Schwartz <eschwartz93@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
This patch introduces the SOURCE_DATE_EPOCH environmental variable. All files
in a package are adjusted to have their modification dates set to the value
of SOURCE_DATE_EPOCH, which defaults to "date +%s".
Setting this variable allows a package that is built twice in the same
environment to be (potentially) reproducible in that the checksum of the
generated package file will be the same.
Also adjust the compression of the mtree file to avoid gzip embedding a
timestamp.
Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
|
|
This information is duplicated (in less friendly format) in the "builddate"
entry and removing it improves reproducible packaging.
Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
|
|
With recent version of gpg, signing within fakeroot works on the first
invocation, but fails on later runs. Sign all packages outside of fakeroot
to avoid this issue.
Fixes FS#49946.
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Setting PKGDEST and friends enables us to keep all built packages in a single
location. Symlinking these files into the build directory creates unnecessary
clutter and requires clean-up in multiple places when removing old version.
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Delete log files for the pkgver and prepare functions if -c,--clean is
passed.
Fixes FS#51039 and FS#51075
Includes patch submitted by Christian Braun.
Signed-off-by: Michael Straube <straubem@gmx.de>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Now uses wc -c $file | cut -d' ' -f1, which works using only POSIX
commands and removes the need for any platform-specific usages.
Signed-off-by: Drew DeVault <sir@cmpwn.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Debug packages are fairly useless currently because the soucre files needed
for stepping through code etc are not packaged with them. This patch adds the
needed source files to the debug package and adjusts the debug info to look at
the /usr/src/debug/ directory for them rather than the build location. This
requires using the "debugedit" program which is provided as part of the RPM
sources.
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
A git repository is marked as signed if it contains the query "signed"
as defined by https://tools.ietf.org/html/rfc3986
Adds two utility functions in util/source.sh.in to extract fragments and
queries, and modifies source/git.sh.in to use them.
Signed-off-by: Eli Schwartz <eschwartz93@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
This makes it easier to add signature verification for new protos.
Signed-off-by: Eli Schwartz <eschwartz93@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
By passing a NUL-separated filelist, this also fixes a bug where files
that look like bsdtar options in the package root could break the
package ("-C" was particularly troublesome because bsdtar interprets it
as an option anywhere in the file list, even following "--").
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
libalpm reserves paths starting with '.' for its own use and will not
extract any other than those it recognizes.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
scripts/libmakepkg/lint_pkgbuild/pkgver.sh.in now raises an error when
pkgver contains forward slashes.
pkgver containing a forward slash results in a package filename
containing a forward slash, which isn't a valid filename.
Signed-off-by: Steef Hegeman <steefhegeman@hotmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
We want to provide source files with debug symbol packages to allow easy
stepping through the program. This becomes difficult with split packages due
to the binaries in many of these sharing source files across packages.
There are (at least) two solutions to this problem. #1: ensure common source
files are located in the debug package for the package lowest in the dependency
chain and add dependencies to the debug packages so all require source files
are present, or #2: create one debug package for all split packages in a
PKGBUILD. The second is a more robust approach despite potentially creating
very large debug packages.
This patch creates a single $pkgbase-debug package and adds provides such that
installing $pkgname-debug will always work.
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
These files are generated at build time. Ignore in git.
Signed-off-by: Christian Hesse <mail@eworm.de>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
libalpm's local database format does not support paths with newlines.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Allows lint_package to prevent makepkg from creating an invalid package.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
The PKGINFO format cannot handle values that contain newlines.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Neither function was checking for the existence of actual results before
calling printf, resulting in them returning a list with a single empty
value if there were no depends/provides.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
I'm not convinced this is a worthwhile goal, but let's follow suit.
Since we can't know the names of all the vars that might exist, unset
them by pattern.
|
|
|
|
The inside needs quoting, and this is separate from the declartion,
which does not (in these cases).
|
|
Use shopt to set/reset errexit and errtrace, which lets us:
1) be more vigilant, resetting anything the user might do to us in
PKGBUILD functions.
2) use human-readable words (errexit vs. -e)
On top of this, introduce a new save/restore for the shell's other
shopts. A user should not have any expectations that what happens in
one function is available in another function, if it isn't explicitly
defined in the PKGBUILD. While this change does not make that
assertion, it gets us closer.
We also replace a variable which comes from out of nowhere (pkgfunc)
with the positional parameter containing the same value. Quoting is
adjusted to make the expansion happen at the time the trap is set,
rather than later on.
|
|
These 'set +E' diversions haven't been needed since global errexit was
disabled in dca10b062f2 (January 2012).
|
|
After 1f8f0bd9ac4c11cdc1b9506f9f64d8192ecad4ee all scripts that were
changed to using the wrapper for in-tree use have the wrappers installed
to the system instead of the actual script, so change the install
command to support all wrapped scripts instead of just makepkg.
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
This reverts commit a79c0038ae84c38fe063bd7426a839f3c01c10e8.
I merged the wrong branch into master...
|
|
Debug packages are fairly useless currently because the soucre files
needed for stepping through code etc are not packaged with them. This
patch adds the needed source files to the debug package and adjusts
the debug info to look at the /usr/src/debug/ directory for them rather
than the build location. This requires using the "debugedit" program
which is provided as part of the RPM sources.
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Since rewriting build_references() anyway, tweaked quoting.
Implements FS#31558.
Signed-off-by: Ivy Foster <ivy.foster@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
If pacman is build against a crypto library other than openssl, it makes no
sense to require makepkg to use it.
The only currently considered alternative to openssl is nettle, which has no
binary for base64 encode/decode. This means that we could replace the hashing
cacluations with nettle-hash, but would require base64 from coreutils.
Given makepkg already relies heavily on coreutils, we might as well use all
the coreutils hashing binaries too.
This patch also improves the checking of required binaries for hashing
operations.
Signed-off-by: Allan McRae <allan@archlinux.org>
|