archrelease: ensure we check the checksum of the package

Signed-off-by: Morten Linderud <foxboron@archlinux.org>
author: Morten Linderud <foxboron@archlinux.org> 2020-05-30 01:59:58 +0200
committer: Levente Polyak <anthraxx@archlinux.org> 2023-03-19 22:02:04 +0100
commit: f7d122044b42b6f296e38dcd37d458d58f33612d (patch)
tree: a66fc398791f23201effe55f0873ad3971dfaeff
parent: b6f5220bed76c9ea9f83f4c6c81ced9977b26d77 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/src/archrelease.in b/src/archrelease.in
index e80271b..55d3726 100644
--- a/src/archrelease.in
+++ b/src/archrelease.in
@@ -42,6 +42,17 @@ if git rev-parse "$pkgver" >/dev/null 2>&1; then
 	die "archrelease: the tag $pkgver already exists in the repository!"
 fi
 
+# If the tag exists we check if it's properly signed and that it
+# matches the working directory PKGBUILD.
+if git tag --verify "$pkgver" &> /dev/null; then
+	cwd_checksum=$(sha256sum PKGBUILD|cut -d' ' -f1)
+	tag_checksum=$(git show $pkgver:PKGBUILD | sha256sum |cut -d' ' -f1)
+	if [[ "$cwd_checksum" != "$tag_checksum" ]]; then
+		die "tagged PKGBUILD is not the same as the working dir PKGBUILD"
+	fi
+	exit 0
+fi
+
 stat_busy "Releasing package"
 printf -v tag_list ", %s" "$@"; tag_list="${tag_list#, }"
 git tag -s -m "archrelease: released $pkgbase-$pkgver to $tag_list"  "$pkgver" || abort
author	Morten Linderud <foxboron@archlinux.org>	2020-05-30 01:59:58 +0200
committer	Levente Polyak <anthraxx@archlinux.org>	2023-03-19 22:02:04 +0100
commit	f7d122044b42b6f296e38dcd37d458d58f33612d (patch)
tree	a66fc398791f23201effe55f0873ad3971dfaeff
parent	b6f5220bed76c9ea9f83f4c6c81ced9977b26d77 (diff)