diff options
author | Techcable | 2023-01-19 00:00:49 -0700 |
---|---|---|
committer | Techcable | 2023-01-19 00:00:49 -0700 |
commit | e90fed8d9ab5a90d72361af65cc174e32f09694b (patch) | |
tree | 278718c58dceac19073c07e9768eb2c2c51f9de4 | |
parent | 597076a606b4c3b643941737292a7a6f8b5409e5 (diff) | |
download | aur-e90fed8d9ab5a90d72361af65cc174e32f09694b.tar.gz |
Verify signatures with minisign
-rw-r--r-- | .SRCINFO | 3 | ||||
-rw-r--r-- | PKGBUILD | 37 |
2 files changed, 25 insertions, 15 deletions
@@ -1,6 +1,6 @@ pkgbase = zig-dev-bin pkgdesc = A general-purpose programming language and toolchain for maintaining robust, optimal, and reusable software - pkgver = 0.11.0_dev.681+f02073434 + pkgver = 0.11.0_dev.1364+72c09b7b3 pkgrel = 1 epoch = 1 url = https://ziglang.org/ @@ -9,6 +9,7 @@ pkgbase = zig-dev-bin license = MIT makedepends = curl makedepends = jq + makedepends = minisign provides = zig conflicts = zig options = !strip @@ -9,13 +9,13 @@ pkgname=zig-dev-bin # "newer" greater than the new version scheme epoch=1 # NOTE: Hyphen -> underscore -pkgver=0.11.0_dev.681+f02073434 +pkgver=0.11.0_dev.1364+72c09b7b3 pkgrel=1 pkgdesc="A general-purpose programming language and toolchain for maintaining robust, optimal, and reusable software" arch=('x86_64' 'aarch64') url="https://ziglang.org/" license=('MIT') -makedepends=(curl jq) +makedepends=(curl jq minisign) options=('!strip') provides=('zig') conflicts=('zig') @@ -25,18 +25,21 @@ conflicts=('zig') source=( "hello.zig" ) -# GPG verification is not currently possible because Zig binaries aren't signed # Hardcoded sha256 not possible because this is a an auto-updating (nightly) package # -# Zig Issue for signed binaries: https://github.com/ziglang/zig/issues/4945 +# Zig currently uses minisign to sign the binaries, which pacman doesn't support +# See zig issue for signed binaries: https://github.com/ziglang/zig/issues/4945 sha256sums=( "SKIP" ) +# https://ziglang.org/download/ +ZIG_MINISIGN_KEY="RWSGOq2NVecA2UPNdBUZykf1CCb147pkmdtYxgb3Ti+JO/wCYvhbAb/U"; + # Prints a warning message to stderr warning() { - echo -en "\e[33;1mWARNING\e[0m: "; - echo "$@"; + echo -en "\e[33;1mWARNING\e[0m: " >&2; + echo "$@" >&2; } pkgver() { @@ -56,25 +59,31 @@ prepare() { pushd "${srcdir}" > /dev/null; local index_file="zig-version-index.json"; local newurl="$(jq -r ".master.\"${CARCH}-linux\".tarball" $index_file)"; + local newurl_sig="$newurl.minisig"; local newfile="zig-linux-${CARCH}-${newver}.tar.xz"; - source+=("${newfile}:${newurl}") + local newfile_sig="$newfile.minisig"; + source+=("${newfile}:${newurl}" "${newfile_sig}:${newurl_sig}") local expected_hash="$(jq -r ".master.\"${CARCH}-linux\".shasum" "$index_file")" - sha256sums+=("$newhash") - if [[ -f "$newfile" ]]; then - echo "Reusing existing $newfile"; + sha256sums+=("$expected_hash" "SKIP") + if [[ -f "$newfile" && -f "$newfile_sig" ]]; then + echo "Reusing existing $newfile (and signature)"; else - echo "Downloading Zig $newver from $newurl" >&2; + echo "Downloading Zig $newver from $newurl"; curl -Ss "$newurl" -o "$newfile"; + echo "Downloading signature..."; + curl -Ss "$newurl_sig" -o "$newfile_sig"; fi; - echo "" >&2 - warning "No way to GPG/SHA verify the version ahead of time"; - echo "See Zig issue https://github.com/ziglang/zig/issues/4945 for signed binaries" >&2; echo "" >&2; local actual_hash="$(sha256sum "$newfile" | grep -oE '^\w+')" if [[ "$expected_hash" != "$actual_hash" ]]; then echo "ERROR: Expected hash $expected_hash for $newfile, but got $actual_hash" >&2; exit 1; fi; + echo "Using minisign to check signature"; + if ! minisign -V -P "$ZIG_MINISIGN_KEY" -m "$newfile" -x "$newfile_sig"; then + echo "ERROR: Failed to check signature for $newfile" >&2; + exit 1; + fi echo "Extracting file"; tar -xf "$newfile"; popd > /dev/null; |