FS#20448 - [makepkg] allow verifying source file signatures

Attached to Project: Pacman
Opened by Allan McRae (Allan) - Thursday, 12 August 2010, 12:44 GMT
Last edited by Allan McRae (Allan) - Wednesday, 12 October 2011, 23:17 GMT
Task Type Feature Request
Category makepkg
Status Closed
Assigned To Allan McRae (Allan)
Architecture All
Severity Very Low
Priority Normal
Reported Version 3.4.0
Due in Version 4.0.0
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Summary and Info:
Many projects distribute a signature file along with source code. It would be good to have makepkg verify these.
This task depends upon

Closed by  Allan McRae (Allan)
Wednesday, 12 October 2011, 23:17 GMT
Reason for closing:  Implemented
Additional comments about closing:  http://projects.archlinux.org/pacman.git /commit/?id=94f61c5b
Comment by Dan McGee (toofishes) - Thursday, 12 August 2010, 13:08 GMT
+1 from me if it isn't a P in the A.

Do they usually live at a well-defined location that we could guess at, or would this be a separate array? Part of me says a separate array would be best, so something like:

source=('http://my.com/foobar/asdfasdf-$pkgver.tar.gz' 'mypatch1' 'myconfig1')
signatures=('http://my.com/foobar/asdfasdf-$pkgver.tar.gz.sig' '' '')

The emptiness indicates "no sig available", or perhaps we could use some other sentinel value.
Comment by Allan McRae (Allan) - Thursday, 12 August 2010, 13:22 GMT
For GNU projects, the signatures are always alongside the source file, but I am sure there would be exceptions so a separate array is almost definitely the way to go.
Comment by Dan McGee (toofishes) - Thursday, 12 August 2010, 13:26 GMT
We could even add one magic value that says "hey it's $filename.sig" or something.
Comment by strings (strings) - Sunday, 24 April 2011, 22:19 GMT
I was thinking about working on this.

my plan was to add a sigcheck build option. then in download_sources check for the flag if it is set download the *.sig file along with the existing file.

then in replace of md5sum checking use gpg --verify . this part I'm still looking into.
Comment by strings (strings) - Monday, 25 April 2011, 01:11 GMT
ok I did some hacking this is based of
http://projects.archlinux.org/pacman.git master HEAD


git diff can be found here.
https://github.com/str1ngs/pacman/compare/sigs

this is just a rough outline I can post proper patches to the ML if needed.

In a nut shell it looks for a sig option in the PKGBUILD only. if it is set then it will download the sig
along with the source file.

it will then run check_checksigs and check downloaded files only. it also runs check_checksums after which is redundant but since its checking local files anyways I do not see the harm.

the only real issue I see here is not being able to set sig in makepkg.conf. however it does give the option for Allan and others to atleast sig check toolchain/gnu related builds on a per PKGBUILD basis.
Comment by Wieland Hoffmann (Mineo) - Wednesday, 29 June 2011, 14:36 GMT
I've done nearly the same thing (without checking the bugtracker first): https://github.com/mineo/pacman/compare/makepkg-pgp

We shouldn't be doing this two different ways, so please contact me (github, irc (same nick as here)) or follow the existing thread on the mailing list.
Comment by Allan McRae (Allan) - Wednesday, 03 August 2011, 12:00 GMT
Implemented in http://projects.archlinux.org/pacman.git/commit/?id=94f61c5b . Will leave open to remind me to tidy documentation...
Comment by Dan McGee (toofishes) - Thursday, 06 October 2011, 04:46 GMT
Documentation, Allan? :)
Comment by Allan McRae (Allan) - Thursday, 06 October 2011, 07:15 GMT
It is started... Will try and tidy up this weekend.

Loading...