Merge branch 'verify-in-chroot' into 'master'

feat(makechrootpkg): Download and verify in chroot Closes #225 and #224 See merge request archlinux/devtools!246
feat(src/makechrootpkg.in): Download and verify in chroot
2025-09-13 18:06:19 +02:00 · 2025-08-06 15:08:00 +00:00 · 2024-11-27 22:37:45 +00:00
1 changed files with 11 additions and 12 deletions
--- a/src/makechrootpkg.in
+++ b/src/makechrootpkg.in
@@ -19,7 +19,7 @@ shopt -s nullglob
 default_makepkg_args=(--syncdeps --noconfirm --log --holdver --skipinteg)
 makepkg_args=("${default_makepkg_args[@]}")
-verifysource_args=()
+verifysource_args=(--syncdeps --noconfirm --log)
 chrootdir=
 passeddir=
 makepkg_user=
@@ -175,7 +175,7 @@ prepare_chroot() {
 	printf >>"$copydir/etc/passwd" 'builduser:x:%d:%d:builduser:/build:/bin/bash\n' "$builduser_uid" "$builduser_gid"
 	printf >>"$copydir/etc/shadow" 'builduser:!!:%d::::::\n' "$(( $(date -u +%s) / 86400 ))"
-	$install -d "$copydir"/{build,startdir,{pkg,srcpkg,src,log}dest}
+	$install -d "$copydir"/{build,startdir,{pkg,srcpkg,src,log}dest,verify/{gnupg,ssh}}
 	sed -e '/^MAKEFLAGS=/d' -e '/^PACKAGER=/d' -i "$copydir/etc/makepkg.conf"
 	for x in BUILDDIR=/build PKGDEST=/pkgdest SRCPKGDEST=/srcpkgdest SRCDEST=/srcdest LOGDEST=/logdest \
@@ -247,15 +247,10 @@ _chrootnamcap() {
 	done
 }
-download_sources() {
+_download_sources() {
 	setup_workdir
 	chown "$makepkg_user:" "$WORKDIR"
 	# Ensure sources are downloaded
-	sudo -u "$makepkg_user" --preserve-env=GNUPGHOME,SSH_AUTH_SOCK \
+	sudo -u builduser env SRCDEST="/srcdest" GNUPGHOME="/verify/gnupg" SSH_AUTH_SOCK="/verify/ssh" \
-		env SRCDEST="$SRCDEST" BUILDDIR="$WORKDIR" \
+		bash -c "cd /startdir; makepkg --config=/etc/makepkg.conf --verifysource -o ${verifysource_args[*]}"
 		makepkg --config="$copydir/etc/makepkg.conf" --verifysource -o "${verifysource_args[@]}" ||
 		die "Could not download sources."
 }
 move_logfiles() {
@@ -352,6 +347,7 @@ umask 0022
 ORIG_HOME=$HOME
 IFS=: read -r _ _ _ _ _ HOME _ < <(getent passwd "${SUDO_USER:-$USER}")
 load_makepkg_config
 DEVTOOLS_GNUPGHOME="${GNUPGHOME:-$HOME/.gnupg}"
 HOME=$ORIG_HOME
 # Use PKGBUILD directory if these don't exist
@@ -383,8 +379,6 @@ if [[ "$(id -u "$makepkg_user")" == 0 ]]; then
 	exit 1
 fi
 download_sources
 prepare_chroot
 nspawn_build_args=(
@@ -396,6 +390,11 @@ nspawn_build_args=(
 	"${bindmounts_tmpfs[@]}"
 )
 arch-nspawn "$copydir" \
 	"${nspawn_build_args[@]}" --bind-ro="${DEVTOOLS_GNUPGHOME//:/\\:}:/verify/gnupg" --bind-ro="${SSH_AUTH_SOCK//:/\\:}:/verify/ssh" \
 	bash -c "$(declare -f _download_sources); verifysource_args=(${verifysource_args[*]}); _download_sources" ||
 	die "Could not download sources."
 if arch-nspawn "$copydir" \
 	"${nspawn_build_args[@]}" \
 	/chrootbuild "${makepkg_args[@]}"