Arch Linux User Repository

Hello, cannot install the package - there is a md5sum mismatch. I know very little about packaging, but am ready to help with this if I can.

@solatis thank you for looking into it.

After looking into it myself by reading the wiki and examples like firefox-nightly, I think it would be best not validate it and instead wait for an official upstream tarball/zip where a signature file would ideally be present.

So for now, comparing the md5 digests within the .deb and listing the sha2 digest suffices

@PanisSupraOmnia I'll take care of it!

@Nu4425 I'm trying to see how that works, is there any tooling in PKGBUILD that allows me to verify .deb package signatures of embedded files? I cannot use the validpgpkeys construct as that verifies the signatures on a Arch-package level, not the embedded files inside the .deb. The process is basically to extract the _gpgorigin out of the archive, and verify it using

gpg --verify ./_gpgorigin ./debian-binary ./control.tar.gz ./data.tar.gz

Is there something that automates that?

Hi @solatis, I noticed that in one of the recent package updates where you cleaned up the PKGBUILD you changed it to use the msg2 and error subroutines. These are not part of makepkg's stable public API, and so they should not be used in PKGBUILDs, per the wiki.

@solatis thank you for that! Also, as another improvement, would you consider using cloudflare's official pgp fingerprint provided at "https://pkg.cloudflareclient.com/pubkey.gpg" during the build process for validation? The fingerprint can be listed through

curl https://pkg.cloudflareclient.com/pubkey.gpg | gpg --show-keys

As it is officially signed and is a RSA-4096 key, I think using this key would make this package official therefore providing a higher degree of security.

@Nu4425 your wish is my command. :)

The md5sum is what the original apt package (for Ubuntu focal) uses to validate the package, and there's something to be said for using the "official" md5sums. Having said that, I've added a few improvements:

• Use a sha256sum in addition to the official md5sum;
• Use the packaged md5sums for all the individual files to validate.

I've also tidied up the /usr/usr garbage output, and include the official changelog in the package changelog (pacman -Qc cloudflare-warp-bin should now show the proper changelog).

Let me know if anyone has any issues.

Hi @solatis, the package builds and installs just fine but I noticed the digest for this package was produced using md5 which is proven to be broken. Do you mind using a sha2 or sha3 digest instead? Thanks!

Thanks @PanisSupraOmnia, i've released an update to the package which addresses quite a few of these. I added cloudflare-warp as a conflicting package, but the package appears to be gone anyway?

@a22a-dev, please try again with the update; i've now changed the url / validation to exactly the URL ubuntu focal uses, and the same md5sum that it uses.

I am unable to install this, gives validation error, and even fails to download the package altogther