Merge branch 'verify-in-chroot' into 'master'

feat(makechrootpkg): Download and verify in chroot

Closes #225 and #224

See merge request archlinux/devtools!246

contrib/completion/bash/devtools.in

@@ -150,7 +150,6 @@ _pkgctl_cmds=(
 	db
 	diff
 	issue
-	license
 	release
 	repo
 	search

src/commitpkg.in

@@ -155,7 +155,7 @@ if (( ${#needsversioning[*]} )); then
 		if [[ ! -f "${file}" ]]; then
 			continue
 		fi
-		if ! git ls-files --error-unmatch "$file" >/dev/null; then
+		if ! git ls-files --error-unmatch "$file"; then
 			die "%s is not under version control" "$file"
 		fi
 	done

src/lib/build/build.sh

@@ -312,7 +312,7 @@ pkgctl_build() {
 
 	# Update pacman cache for auto-detection
 	if [[ -z ${REPO} ]]; then
-		update_pacman_repo_cache stable
+		update_pacman_repo_cache multilib
 	# Check valid repos if not resolved dynamically
 	elif ! in_array "${REPO}" "${DEVTOOLS_VALID_REPOS[@]}"; then
 		die "Invalid repository target: %s" "${REPO}"

src/lib/db/remove.sh

@@ -51,6 +51,7 @@ pkgctl_db_remove() {
 	local partial=0
 	local confirm=1
 	local dbscripts_options=()
+	local lookup_repo=multilib
 	local pkgname
 
 	# option checking
@@ -105,13 +106,13 @@ pkgctl_db_remove() {
 				update_pacman_repo_cache unstable
 				;;
 			*-staging)
-				update_pacman_repo_cache staging
+				update_pacman_repo_cache multilib-staging
 				;;
 			*-testing)
-				update_pacman_repo_cache testing
+				update_pacman_repo_cache multilib-testing
 				;;
 			*)
-				update_pacman_repo_cache stable
+				update_pacman_repo_cache multilib
 				;;
 		esac
 

src/lib/license/setup.sh

@@ -188,13 +188,10 @@ path = [
     "README.md",
     "keys/**",
     ".SRCINFO",
-    ".gitignore",
     ".nvchecker.toml",
     "*.install",
     "*.sysusers",
-    "*sysusers.conf",
     "*.tmpfiles",
-    "*tmpfiles.conf",
     "*.logrotate",
     "*.pam",
     "*.service",

src/lib/release.sh

@@ -124,7 +124,7 @@ pkgctl_release() {
 
 	# Update pacman cache for auto-detection
 	if [[ -z ${REPO} ]]; then
-		update_pacman_repo_cache stable
+		update_pacman_repo_cache multilib
 	# Check valid repos if not resolved dynamically
 	elif ! in_array "${REPO}" "${DEVTOOLS_VALID_REPOS[@]}"; then
 		die "Invalid repository target: %s" "${REPO}"

src/lib/util/machine.sh

@@ -1,26 +0,0 @@
-#!/hint/bash
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-
-[[ -z ${DEVTOOLS_INCLUDE_UTIL_MACHINE_SH:-} ]] || return 0
-DEVTOOLS_INCLUDE_UTIL_MACHINE_SH=1
-
-_DEVTOOLS_LIBRARY_DIR=${_DEVTOOLS_LIBRARY_DIR:-@pkgdatadir@}
-# shellcheck source=src/lib/common.sh
-source "${_DEVTOOLS_LIBRARY_DIR}"/lib/common.sh
-
-
-set -eo pipefail
-
-machine_get_hardware_name() {
-	uname --machine
-}
-
-machine_has_multilib() {
-	case "$(machine_get_hardware_name)" in
-		x86_64*)
-			return 0
-			;;
-	esac
-	return 1
-}

src/lib/util/pacman.sh

@@ -8,8 +8,6 @@ DEVTOOLS_INCLUDE_UTIL_PACMAN_SH=1
 _DEVTOOLS_LIBRARY_DIR=${_DEVTOOLS_LIBRARY_DIR:-@pkgdatadir@}
 # shellcheck source=src/lib/common.sh
 source "${_DEVTOOLS_LIBRARY_DIR}"/lib/common.sh
-# shellcheck source=src/lib/util/machine.sh
-source "${_DEVTOOLS_LIBRARY_DIR}"/lib/util/machine.sh
 
 set -e
 
@@ -20,8 +18,7 @@ readonly _DEVTOOLS_MAKEPKG_CONF_DIR=${_DEVTOOLS_LIBRARY_DIR}/makepkg.conf.d
 
 
 update_pacman_repo_cache() {
-	local repo=${1:-stable}
+	local repo=${1:-multilib}
-	repo=$(pacman_resolve_virtual_repo_name "${repo}")
 
 	mkdir -p "${_DEVTOOLS_PACMAN_CACHE_DIR}"
 	msg "Updating pacman database cache"
@@ -35,8 +32,7 @@ update_pacman_repo_cache() {
 
 get_pacman_repo_from_pkgbuild() {
 	local path=${1:-PKGBUILD}
-	local repo=${2:-stable}
+	local repo=${2:-multilib}
-	repo=$(pacman_resolve_virtual_repo_name "${repo}")
 	local -a pkgnames
 
 	# shellcheck source=contrib/makepkg/PKGBUILD.proto
@@ -76,7 +72,6 @@ get_pkgnames_from_repo_pkgbase() {
 
 	# update the pacman repo cache if it doesn't exist yet
 	if [[ ! -d "${_DEVTOOLS_PACMAN_CACHE_DIR}" ]]; then
-		# TODO: universe includes multilib, switch for architecture
 		update_pacman_repo_cache universe
 	fi
 
@@ -96,23 +91,3 @@ get_pkgnames_from_repo_pkgbase() {
 	printf "%s\n" "${pkgnames[@]}"
 	return 0
 }
-
-pacman_resolve_virtual_repo_name() {
-	local repo=$1
-
-	local repo_class=extra
-	if machine_has_multilib; then
-		repo_class=multilib
-	fi
-
-	case "${repo}" in
-		stable)
-			repo=${repo_class}
-			;;
-		testing|staging)
-			repo="${repo_class}-${repo}"
-			;;
-	esac
-
-	printf "%s" "${repo}"
-}

src/lib/valid-tags.sh

@@ -6,7 +6,6 @@
 # shellcheck disable=2034
 DEVTOOLS_VALID_BINARY_ARCHES=(
 	x86_64
-	aarch64
 )
 
 # shellcheck disable=2034

src/makechrootpkg.in

@@ -19,7 +19,7 @@ shopt -s nullglob
 
 default_makepkg_args=(--syncdeps --noconfirm --log --holdver --skipinteg)
 makepkg_args=("${default_makepkg_args[@]}")
-verifysource_args=()
+verifysource_args=(--syncdeps --noconfirm --log)
 chrootdir=
 passeddir=
 makepkg_user=
@@ -175,7 +175,7 @@ prepare_chroot() {
 	printf >>"$copydir/etc/passwd" 'builduser:x:%d:%d:builduser:/build:/bin/bash\n' "$builduser_uid" "$builduser_gid"
 	printf >>"$copydir/etc/shadow" 'builduser:!!:%d::::::\n' "$(( $(date -u +%s) / 86400 ))"
 
-	$install -d "$copydir"/{build,startdir,{pkg,srcpkg,src,log}dest}
+	$install -d "$copydir"/{build,startdir,{pkg,srcpkg,src,log}dest,verify/{gnupg,ssh}}
 
 	sed -e '/^MAKEFLAGS=/d' -e '/^PACKAGER=/d' -i "$copydir/etc/makepkg.conf"
 	for x in BUILDDIR=/build PKGDEST=/pkgdest SRCPKGDEST=/srcpkgdest SRCDEST=/srcdest LOGDEST=/logdest \
@@ -247,15 +247,10 @@ _chrootnamcap() {
 	done
 }
 
-download_sources() {
+_download_sources() {
-	setup_workdir
-	chown "$makepkg_user:" "$WORKDIR"
-
 	# Ensure sources are downloaded
-	sudo -u "$makepkg_user" --preserve-env=GNUPGHOME,SSH_AUTH_SOCK \
+	sudo -u builduser env SRCDEST="/srcdest" GNUPGHOME="/verify/gnupg" SSH_AUTH_SOCK="/verify/ssh" \
-		env SRCDEST="$SRCDEST" BUILDDIR="$WORKDIR" \
+		bash -c "cd /startdir; makepkg --config=/etc/makepkg.conf --verifysource -o ${verifysource_args[*]}"
-		makepkg --config="$copydir/etc/makepkg.conf" --verifysource -o "${verifysource_args[@]}" ||
-		die "Could not download sources."
 }
 
 move_logfiles() {
@@ -352,6 +347,7 @@ umask 0022
 ORIG_HOME=$HOME
 IFS=: read -r _ _ _ _ _ HOME _ < <(getent passwd "${SUDO_USER:-$USER}")
 load_makepkg_config
+DEVTOOLS_GNUPGHOME="${GNUPGHOME:-$HOME/.gnupg}"
 HOME=$ORIG_HOME
 
 # Use PKGBUILD directory if these don't exist
@@ -383,8 +379,6 @@ if [[ "$(id -u "$makepkg_user")" == 0 ]]; then
 	exit 1
 fi
 
-download_sources
-
 prepare_chroot
 
 nspawn_build_args=(
@@ -396,6 +390,11 @@ nspawn_build_args=(
 	"${bindmounts_tmpfs[@]}"
 )
 
+arch-nspawn "$copydir" \
+	"${nspawn_build_args[@]}" --bind-ro="${DEVTOOLS_GNUPGHOME//:/\\:}:/verify/gnupg" --bind-ro="${SSH_AUTH_SOCK//:/\\:}:/verify/ssh" \
+	bash -c "$(declare -f _download_sources); verifysource_args=(${verifysource_args[*]}); _download_sources" ||
+	die "Could not download sources."
+
 if arch-nspawn "$copydir" \
 	"${nspawn_build_args[@]}" \
 	/chrootbuild "${makepkg_args[@]}"