I found this feature confusing, and the documentation wasn't any help.
It was pointed out to me on IRC that validpgpkeys expects full
fingerprints, and won't accept shorter forms. This makes the
documentation insufficient, and the variable name itself misleading.
This patch bolsters the documentation to explain more about what the
contents should be, and implements suffix matching to allow matching on
shorters fingerprint suffices. Now, when makepkg tells you that a key
ID isn't valid, it's sufficient to manually check the key ID against
the known good ID, and add it as is to validpgpkeys.
Signed-off-by: Allan McRae <allan@archlinux.org>
This commit changes the few remaining instances of:
[[ ! $foo = "$bar" ]]
to the more common:
[[ $foo != "$bar" ]]
Signed-off-by: Allan McRae <allan@archlinux.org>
This implements support for declarations such as:
arch=('i686' 'x86_64')
...
source=("somescript.sh")
source_i686=("http://evilmonster.com/i686/ponies-9001-1.i686.bin")
source_x86_64=("http://evilmonster.com/i686/ponies-9001-1.x86_64.bin")
md5sums=('d41d8cd98f00b204e9800998ecf8427e')
md5sums_i686=('e4ca381035a34b7a852184cc0dd89baa')
md5sums_x86_64=('4019740e6998f30a3c534bac6a83f582')
Just the same as the "untagged" sources, multiple integrity algorithms
are supported. The manpage is updated to reflect support for these
suffices.
This commit also refactors download_sources slightly:
1) to use the otherwise preferred convention of lowercase local variable
names, and to make the handling of $1 more clear.
2) rename the "fast" parameter to "novcs", to make it more clear what
this token does.
3) add a new possible token "allarch" to ensure that download_sources
will fetch all sources, for all architectures.
This also fixes a "bug" in which a PKGBUILD without any source array
would generate "md5sums=()". While not technically wrong, we can easily
do better and emit nothing at all.
We rely on values in the arch array to be valid as part of variable
names, so extend the arch lint check to catch this.
This also cleans up lint_arch to restrict the use of "lint" only to the
package-specific architecture checks. It previously had an odd
declaration with a conditional expansion that would never be true.
Since source package creation is architecture independent, we should
ignore architecture-dependent behaviors such as the lint check which
will halt execution when the host machine is not a supported arch.
https://github.com/falconindy/pkgbuild-introspection/issues/15
Original-work-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
* convert dbpath from argument to option
* add --config and --root options
* read dbpath and root from config file
* if root is set but not dbpath, dbpath is set relative to root
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
This eval enables the following in a PKGBUILD to "just work":
source=('$pkgname-$pkgver.tar.gz'::'https://host/$pkgver.tar.gz')
This has at least two problems:
- It violated the principle of least surprise.
- It could be a security issue since URLs are arbitrary input.
Instead, expand the dlagent command line into an array, replace the %o,
%u place holders, and run the resultant command line as is.
Embedded spaces in the DLAGENTS entry can be escaped with a backslash.
Fixes FS#41682
Signed-off-by: Allan McRae <allan@archlinux.org>
Git has the ability to use helper applications for interfacing with hg,
and from what we had before, the following url::
foo::git+hg::http://foo.bar/foobar
would get converted to something along the lines of:
filename: foo
URL: http://foo.bar/foobar
and the 'git+hg' part would essentially be ignored when it's getting set
up in the 'get_protocol' and 'get_downloadclient' functions. With this
patch it is possible to have a source link with '::' in it, however it
is not possible to have a filename with '::', which is the current
behavior.
Signed-off-by: Allan McRae <allan@archlinux.org>
Prevents trust being spoofed by using TRUST_FULLY in the signatory's name
or in an added notation.
Fixes FS#41147.
Signed-off-by: Allan McRae <allan@archlinux.org>
This introduces support for architecture-specific conflicts, depends,
optdepends, makedepends, replaces, and conflicts by appending "_$CARCH"
to the array name. For example, in the global section:
arch=('i686' 'x86_64')
depends=('foo')
depends_x86_64=('bar')
This will generate depends of 'foo' and 'bar' on x86_64, but only 'foo'
on i686. Moreover, this is supported in the package functions with the
same heuristics as the generic names, e.g.
...
arch=('i686' 'x86_64')
depends=('foo')
...
package_somepkg() {
depends_x86_64=('bar')
...
}
Again, will cause x86_64 to have depends of 'foo' and 'bar', but only
'foo' for i686.
Break apart each of the blocks into their own separate functions. And,
instead of the hand crafted eval statements, reuse the logic from
pkgbuild-introspection[0] to abstract away the complexities of parsing
bash.
This commit fixes at least 3 bugs in check_sanity:
1) The wrong variable is shown for the error which would be thrown
when, e.g. pkgname=('foopkg' 'bar^pkg')
2) The "arch" variable is not sanity checked when the PKGBUILD has
an arch override, but only one output package.
3) https://bugs.archlinux.org/task/40361
Lastly, there's some string changes here which should help to clarify
a few errors emitted in the linting process.
[0] https://github.com/falconindy/pkgbuild-introspection
Dependencies are now handled with --nobuild unless specificially skipped.
Using --verifysource will skip dependency checks unless --syncdeps is
specified.
Fixes FS#35057 and FS#36999.
Signed-off-by: Allan McRae <allan@archlinux.org>
Add an array VCSCLIENTS to makepkg.conf that matches vcs source protocols
to the package containing the software needed for handling the source.
Signed-off-by: Allan McRae <allan@archlinux.org>
The documentation very clearly states that the buildfile has to be in
$PWD, but the error thrown by makepkg reference some mysterious "build
directory". Simplify this check so that we more directly check that the
file being referred to is in fact in our $PWD. Revise the error message
when the check fails to more plainly point out the problem.
Signed-off-by: Allan McRae <allan@archlinux.org>
Add support for following the XDG Base Directory Specification when
reading the user-specific configuration file.
If no $XDG_CONFIG_HOME/pacman/makepkg.conf file exists we fall back to
sourcing $HOME/.makepkg.conf
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
[Allan] Note XDG_CONFIG_HOME takes priority.
Signed-off-by: Allan McRae <allan@archlinux.org>
After resourcing the PKGBUILD in update_pkgver(), set the epoch to 0
if it is empty. Also adjust the get_full_version function to be more
robust if epoch somehow still is empty.
Fixes FS#41022.
Signed-off-by: Allan McRae <allan@archlinux.org>
This ensures packages build on a UTF-8 locale system with non-ASCII character
names can be installed on non-UTF-8 systems.
Signed-off-by: Allan McRae <allan@archlinux.org>
Remove the comment above the signature generation command as the command
is self explanatory and no longer does what the comment says.
Signed-off-by: Allan McRae <allan@archlinux.org>
We expect all source file to lie in $startdir. However, using
"makepkg -p <buildscript>" can currently allows people to specify buildscripts
in other directories. This results in confusion about where other sources
should lie (in startdir or in the directory that the buildscript is in).
Explicitly disable using -p for files in other directories to avoid this issue.
Fixes FS#40293.
Signed-off-by: Allan McRae <allan@archlinux.org>
If validpgpkeys is set in the PKGBUILD, signature checking fails if
the fingerprint of the key used to create the signature is not listed
in the array.
The key's trust value is ignored.
Signed-off-by: Allan McRae <allan@archlinux.org>
Instead of invoking grep multiple times, parse the status file once.
This refactoring also changes the behvaiour when signature verification
fails due to a missing public key: It is now an error instead of a
warning.
Signed-off-by: Allan McRae <allan@archlinux.org>
Provide pkgbase information for non-split packages with pkgbase set.
Also record the version of the "base" package. This is useful for
matching package files to source packages.
Signed-off-by: Allan McRae <allan@archlinux.org>
Packaging outside of fakeroot can result in incorrect permissions for
package files. It has been years since fakeroot issues during packaging
were common, so it is safe to enforce fakeroot usage. If using fakeroot
is impossible for some reason, a two line wrapper script will suffice to
fool makepkg.
Signed-off-by: Allan McRae <allan@archlinux.org>
The days of fakeroot being error ridden are long gone, so there is no
valid reason to run makepkg as root.
Signed-off-by: Allan McRae <allan@archlinux.org>
1. Packagers who want to test the package() function, i.e. to check the content
of the pkg/ folder.
2. Developers who want to check how the packaged version of a program looks, in
other words how the pkg/ folder looks.
3. For users of systems with no port tree, makepkg can ease package creation.
However the resulting archive of the whole makepkg process is often useless.
For all situations, makepkg will usually be called several times. But no archive
(the final package) is needed in any cases. The archive creation ends up being a
waste of time and resource, especially for big applications and slow machines.
Since this option aborts the process prematurely, it behaves like the
-o,--nobuild option, i.e. any other option acting on later stages in the process
will be automatically discarded. For --noarchive, it means that in
$ makepkg --noarchive --install
the '--install' option does not do anything.
Signed-off-by: Pierre Neidhardt <ambrevar@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
Previously, install_package() return code was either used as exit code or
ignored. This was rather confusing. The return code is now always ignored and a
comment on install_package() has been added.
Signed-off-by: Pierre Neidhardt <ambrevar@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
Files hosted on kernel.org only provide signatures for the uncompressed tarball.
Support this scheme by transparently uncompressing the archives and piping
the data into gpg.
Signed-off-by: Allan McRae <allan@archlinux.org>
I noticed when I built a kernel package with options 'strip' and 'debug' that
the debug package was missing the debug information for the kernel modules.
This patch adds kernel modules to the targets for 'strip' and is compatible
with the split-out debug information packages.
v2: Correct logic error -- did a 'continue' after the 2nd-level case statement
instead of in the default case.
v3: Oops, forgot to terminate outer case. Ran this version through the test
suite and all tests passed.
Signed-off-by: Steven Noonan <steven@uplinklabs.net>
Signed-off-by: Allan McRae <allan@archlinux.org>
makepkg only aborts on errors during PKGBUILD functions so the remaining
"|| true" statements are unneeded.
Signed-off-by: Allan McRae <allan@archlinux.org>
It turns out that you should refer to variables by their actual name...
Introduced in commit a521cea9.
FS#38414.
Signed-off-by: Allan McRae <allan@archlinux.org>
FS#34240. This is useful for translators and has little cost to us since
we moved to transifex for translations.
Signed-off-by: Allan McRae <allan@archlinux.org>
If the user has "armor" in thier gpg.conf, makepkg will create an
ascii-armored signature. Use --no-armor in the gpg call to avoid.
FS#38503.
Signed-off-by: Allan McRae <allan@archlinux.org>
Forcing vim users to view files with a tabstop of 2 seems really
unnecessary when noet is set. I find it much easier to read code with
ts=4 and I dislike having to override the modeline by hand.
Command run:
find . -type f -exec sed -i '/vim.* noet/s# ts=2 sw=2##' {} +
Signed-off-by: Florian Pritz <bluewind@xinu.at>
Signed-off-by: Allan McRae <allan@archlinux.org>