commitpkg: disallow if PKGBUILD hash mismatches package's enclosed hash
Several cases showed that we release packages that were built with different PKGBUILDs than the one commited to the source tree. This is bad for obvious reasons plus sploils reproducible builds. We, under no circumstances, want to allow using commitpkg to publish and release a packages whose PKGBUILD doesn't match the one to be commited. Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
This commit is contained in:
parent
a3868cf542
commit
fd6e801cfb
|
@ -83,7 +83,7 @@ while getopts ':l:a:s:f' flag; do
|
|||
done
|
||||
shift $(( OPTIND - 1 ))
|
||||
|
||||
# check packages have the packager field set
|
||||
# check packages for validity
|
||||
for _arch in "${arch[@]}"; do
|
||||
if [[ -n $commit_arch && ${_arch} != "$commit_arch" ]]; then
|
||||
continue
|
||||
|
@ -95,6 +95,11 @@ for _arch in "${arch[@]}"; do
|
|||
if grep -q "packager = Unknown Packager" <(bsdtar -xOqf "$pkgfile" .PKGINFO); then
|
||||
die "PACKAGER was not set when building package"
|
||||
fi
|
||||
hashsum=sha256sum
|
||||
pkgbuild_hash=$(awk -v"hashsum=$hashsum" -F' = ' '$1 == "pkgbuild_"hashsum {print $2}' <(bsdtar -xOqf "$pkgfile" .BUILDINFO))
|
||||
if [[ "$pkgbuild_hash" != "$($hashsum PKGBUILD|cut -d' ' -f1)" ]]; then
|
||||
die "PKGBUILD $hashsum mismatch: expected $pkgbuild_hash"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
|
Loading…
Reference in New Issue