Merge branch 'verify-in-chroot' into 'master'

feat(makechrootpkg): Download and verify in chroot Closes #225 and #224 See merge request archlinux/devtools!246
fix(license): add .gitignore to REUSE defaults
2025-09-12 17:36:18 +02:00 · 2025-08-18 12:16:50 +00:00 · 2025-08-08 14:13:32 +02:00 · 2024-11-27 22:37:45 +00:00
2 changed files with 12 additions and 12 deletions
--- a/src/lib/license/setup.sh
+++ b/src/lib/license/setup.sh
@@ -188,6 +188,7 @@ path = [
    "README.md",
    "keys/**",
    ".SRCINFO",
+    ".gitignore",
    ".nvchecker.toml",
    "*.install",
    "*.sysusers",
--- a/src/makechrootpkg.in
+++ b/src/makechrootpkg.in
@@ -19,7 +19,7 @@ shopt -s nullglob

 default_makepkg_args=(--syncdeps --noconfirm --log --holdver --skipinteg)
 makepkg_args=("${default_makepkg_args[@]}")
-verifysource_args=()
+verifysource_args=(--syncdeps --noconfirm --log)
 chrootdir=
 passeddir=
 makepkg_user=
@@ -175,7 +175,7 @@ prepare_chroot() {
 	printf >>"$copydir/etc/passwd" 'builduser:x:%d:%d:builduser:/build:/bin/bash\n' "$builduser_uid" "$builduser_gid"
 	printf >>"$copydir/etc/shadow" 'builduser:!!:%d::::::\n' "$(( $(date -u +%s) / 86400 ))"

-	$install -d "$copydir"/{build,startdir,{pkg,srcpkg,src,log}dest}
+	$install -d "$copydir"/{build,startdir,{pkg,srcpkg,src,log}dest,verify/{gnupg,ssh}}

 	sed -e '/^MAKEFLAGS=/d' -e '/^PACKAGER=/d' -i "$copydir/etc/makepkg.conf"
 	for x in BUILDDIR=/build PKGDEST=/pkgdest SRCPKGDEST=/srcpkgdest SRCDEST=/srcdest LOGDEST=/logdest \
@@ -247,15 +247,10 @@ _chrootnamcap() {
 	done
 }

-download_sources() {
-	setup_workdir
-	chown "$makepkg_user:" "$WORKDIR"
-
+_download_sources() {
 	# Ensure sources are downloaded
-	sudo -u "$makepkg_user" --preserve-env=GNUPGHOME,SSH_AUTH_SOCK \
-		env SRCDEST="$SRCDEST" BUILDDIR="$WORKDIR" \
-		makepkg --config="$copydir/etc/makepkg.conf" --verifysource -o "${verifysource_args[@]}" ||
-		die "Could not download sources."
+	sudo -u builduser env SRCDEST="/srcdest" GNUPGHOME="/verify/gnupg" SSH_AUTH_SOCK="/verify/ssh" \
+		bash -c "cd /startdir; makepkg --config=/etc/makepkg.conf --verifysource -o ${verifysource_args[*]}"
 }

 move_logfiles() {
@@ -352,6 +347,7 @@ umask 0022
 ORIG_HOME=$HOME
 IFS=: read -r _ _ _ _ _ HOME _ < <(getent passwd "${SUDO_USER:-$USER}")
 load_makepkg_config
+DEVTOOLS_GNUPGHOME="${GNUPGHOME:-$HOME/.gnupg}"
 HOME=$ORIG_HOME

 # Use PKGBUILD directory if these don't exist
@@ -383,8 +379,6 @@ if [[ "$(id -u "$makepkg_user")" == 0 ]]; then
 	exit 1
 fi

-download_sources
-
 prepare_chroot

 nspawn_build_args=(
@@ -396,6 +390,11 @@ nspawn_build_args=(
 	"${bindmounts_tmpfs[@]}"
 )

+arch-nspawn "$copydir" \
+	"${nspawn_build_args[@]}" --bind-ro="${DEVTOOLS_GNUPGHOME//:/\\:}:/verify/gnupg" --bind-ro="${SSH_AUTH_SOCK//:/\\:}:/verify/ssh" \
+	bash -c "$(declare -f _download_sources); verifysource_args=(${verifysource_args[*]}); _download_sources" ||
+	die "Could not download sources."
+
 if arch-nspawn "$copydir" \
 	"${nspawn_build_args[@]}" \
 	/chrootbuild "${makepkg_args[@]}"