Send patches - preferably formatted by git format-patch - to patches at archlinux32 dot org.
summaryrefslogtreecommitdiff
path: root/src/commitpkg.in
diff options
context:
space:
mode:
Diffstat (limited to 'src/commitpkg.in')
-rw-r--r--src/commitpkg.in30
1 files changed, 30 insertions, 0 deletions
diff --git a/src/commitpkg.in b/src/commitpkg.in
index ef30544..6b9d727 100644
--- a/src/commitpkg.in
+++ b/src/commitpkg.in
@@ -4,6 +4,33 @@
m4_include(lib/common.sh)
+check_pkgbuild_validity() {
+ # shellcheck source=contrib/makepkg/PKGBUILD.proto
+ . ./PKGBUILD
+
+ # skip when there are no sources available
+ if (( ! ${#source[@]} )); then
+ return
+ fi
+
+ # validate sources hash algo is at least > sha1
+ local bad_algos=("cksums" "md5sums" "sha1sums")
+ local good_hash_algo=false
+
+ # from makepkg libmakepkg/util/schema.sh
+ for integ in "${known_hash_algos[@]}"; do
+ local sumname="${integ}sums"
+ if [[ -n ${!sumname} ]] && ! in_array "${sumname}" "${bad_algos[@]}"; then
+ good_hash_algo=true
+ break
+ fi
+ done
+
+ if ! $good_hash_algo; then
+ die "PKGBUILD lacks a secure cryptographic checksum, insecure algorithms: ${bad_algos[*]}"
+ fi
+}
+
# Source makepkg.conf; fail if it is not found
if [[ -r '/etc/makepkg.conf' ]]; then
# shellcheck source=config/makepkg/x86_64.conf
@@ -121,6 +148,9 @@ for _arch in "${arch[@]}"; do
fi
done
+# check for PKGBUILD standards
+check_pkgbuild_validity
+
if [[ -z $server ]]; then
server='repos.archlinux.org'
fi