From c764942ed13b3409b6bd49d33e6165b02c1887e2 Mon Sep 17 00:00:00 2001 From: Stephen Seo Date: Fri, 17 Mar 2023 15:20:16 +0900 Subject: [PATCH] Fix integirty checking with gpg No longer need to use the pacman hook as integrity checking is done by the script before building. Also, the temporary file created to test gpg signing will now be created, signed, and removed in the user's `.local/share` directory. --- README.md | 14 ++++++-------- makechrootpkg_noskipinteg.hook | 11 ----------- update.py | 25 +++++++++++++++++++++++-- 3 files changed, 29 insertions(+), 21 deletions(-) delete mode 100644 makechrootpkg_noskipinteg.hook diff --git a/README.md b/README.md index 46d5809..e88efb0 100644 --- a/README.md +++ b/README.md @@ -173,12 +173,10 @@ It is recommended to use the script with a prepared config. # Other Notes -By default, `makechrootpkg` does not verify integrity of files in the PKGBUILD. -Use the `makechrootpkg_noskipinteg.hook` to modify the `makechrootpkg` script to -not skip integrity checks. +~~By default, `makechrootpkg` does not verify integrity of files in the +PKGBUILD. Use the `makechrootpkg_noskipinteg.hook` to modify the +`makechrootpkg` script to not skip integrity checks.~~ -The hook must be placed in `/etc/pacman.d/hooks/`. - -Note that the hook only takes effect when `devtools` is updated. If you want to -activate the hook immediately, you can reinstall `devtools` with -`pacman -S devtools`. +`update.py` now does integrity checks before building with `makechrootpkg`. It +is no longer necessary to modify the `/usr/bin/makechrootpkg` because the +integrity checks are done separately. diff --git a/makechrootpkg_noskipinteg.hook b/makechrootpkg_noskipinteg.hook deleted file mode 100644 index 90902da..0000000 --- a/makechrootpkg_noskipinteg.hook +++ /dev/null @@ -1,11 +0,0 @@ -[Trigger] -Operation = Install -Operation = Upgrade -Type = Package -Target = devtools - -[Action] -Description = Force makechrootpkg to not --skipinteg -When = PostTransaction -Exec = /usr/bin/sed -i '/^default_makepkg_args=.*$/s/ --skipinteg//' /usr/bin/makechrootpkg -Depends = devtools diff --git a/update.py b/update.py index e9ca8c9..1268c7d 100755 --- a/update.py +++ b/update.py @@ -1010,7 +1010,6 @@ def update_pkg_list( sys.exit(1) for pkg in pkgs: pkgdir = os.path.join(other_state["clones_dir"], pkg) - log_print(f'Building "{pkg}"...') if "ccache_dir" in pkg_state[pkg]: cleanup_sccache(other_state["chroot"]) setup_ccache(other_state["chroot"]) @@ -1021,6 +1020,24 @@ def update_pkg_list( else: cleanup_sccache(other_state["chroot"]) + # check integrity + log_print(f"Checking files of {pkg} before building it...") + try: + subprocess.run( + ( + "/usr/bin/env", + "makepkg", + "--verifysource" + ), + check=True, + cwd=pkgdir, + ) + except: + log_print(f"ERROR: Failed to verify pkg \"{pkg}\"") + pkg_state[pkg]["build_status"] = "fail" + continue + + log_print(f'Building "{pkg}"...') command_list = [ "/usr/bin/env", "makechrootpkg", @@ -1302,7 +1319,11 @@ def test_gpg_passphrase( ): """Checks if the given gpg passphrase works with the gpg signing key.""" - with tempfile.NamedTemporaryFile() as tempnf: + local_share_dir = os.path.join(os.environ["HOME"], ".local", "share") + local_share_dir_path = Path(local_share_dir) + if not local_share_dir_path.exists(): + local_share_dir_path.mkdir(parents=True) + with tempfile.NamedTemporaryFile(dir=local_share_dir) as tempnf: tempnf.write(b"Test file content") tempnf.flush() try: