Fix integirty checking with gpg

No longer need to use the pacman hook as integrity checking is done by the script before building. Also, the temporary file created to test gpg signing will now be created, signed, and removed in the user's `.local/share` directory.
2023-03-17 15:20:16 +09:00 · 2023-03-17 15:20:16 +09:00 · c764942ed1
parent ed27852353
commit c764942ed1
3 changed files with 29 additions and 21 deletions
--- a/README.md
+++ b/README.md
@ -173,12 +173,10 @@ It is recommended to use the script with a prepared config.

 # Other Notes

-By default, `makechrootpkg` does not verify integrity of files in the PKGBUILD.
-Use the `makechrootpkg_noskipinteg.hook` to modify the `makechrootpkg` script to
-not skip integrity checks.
+~~By default, `makechrootpkg` does not verify integrity of files in the
+PKGBUILD. Use the `makechrootpkg_noskipinteg.hook` to modify the
+`makechrootpkg` script to not skip integrity checks.~~

-The hook must be placed in `/etc/pacman.d/hooks/`.
-
-Note that the hook only takes effect when `devtools` is updated. If you want to
-activate the hook immediately, you can reinstall `devtools` with
-`pacman -S devtools`.
+`update.py` now does integrity checks before building with `makechrootpkg`. It
+is no longer necessary to modify the `/usr/bin/makechrootpkg` because the
+integrity checks are done separately.
--- a/makechrootpkg_noskipinteg.hook
+++ b/makechrootpkg_noskipinteg.hook
@ -1,11 +0,0 @@
-[Trigger]
-Operation = Install
-Operation = Upgrade
-Type = Package
-Target = devtools
-
-[Action]
-Description = Force makechrootpkg to not --skipinteg
-When = PostTransaction
-Exec = /usr/bin/sed -i '/^default_makepkg_args=.*$/s/ --skipinteg//' /usr/bin/makechrootpkg
-Depends = devtools
--- a/update.py
+++ b/update.py
@ -1010,7 +1010,6 @@ def update_pkg_list(
        sys.exit(1)
    for pkg in pkgs:
        pkgdir = os.path.join(other_state["clones_dir"], pkg)
-        log_print(f'Building "{pkg}"...')
        if "ccache_dir" in pkg_state[pkg]:
            cleanup_sccache(other_state["chroot"])
            setup_ccache(other_state["chroot"])
@ -1021,6 +1020,24 @@ def update_pkg_list(
            else:
                cleanup_sccache(other_state["chroot"])

+        # check integrity
+        log_print(f"Checking files of {pkg} before building it...")
+        try:
+            subprocess.run(
+                (
+                    "/usr/bin/env",
+                    "makepkg",
+                    "--verifysource"
+                ),
+                check=True,
+                cwd=pkgdir,
+            )
+        except:
+            log_print(f"ERROR: Failed to verify pkg \"{pkg}\"")
+            pkg_state[pkg]["build_status"] = "fail"
+            continue
+
+        log_print(f'Building "{pkg}"...')
        command_list = [
            "/usr/bin/env",
            "makechrootpkg",
@ -1302,7 +1319,11 @@ def test_gpg_passphrase(
 ):
    """Checks if the given gpg passphrase works with the gpg signing key."""

-    with tempfile.NamedTemporaryFile() as tempnf:
+    local_share_dir = os.path.join(os.environ["HOME"], ".local", "share")
+    local_share_dir_path = Path(local_share_dir)
+    if not local_share_dir_path.exists():
+        local_share_dir_path.mkdir(parents=True)
+    with tempfile.NamedTemporaryFile(dir=local_share_dir) as tempnf:
        tempnf.write(b"Test file content")
        tempnf.flush()
        try: