Merge branch 'verify-in-chroot' into 'master'

feat(makechrootpkg): Download and verify in chroot Closes #225 and #224 See merge request archlinux/devtools!246
fix(completion): fix bash completion for the license subcommand
2025-09-12 17:36:18 +02:00 · 2025-08-06 15:08:00 +00:00 · 2025-08-05 17:48:12 +02:00 · 2025-08-01 11:26:57 +02:00 · 2025-07-28 23:38:32 -04:00 · 2024-11-27 22:37:45 +00:00
4 changed files with 15 additions and 13 deletions
--- a/contrib/completion/bash/devtools.in
+++ b/contrib/completion/bash/devtools.in
@@ -150,6 +150,7 @@ _pkgctl_cmds=(
 	db
 	diff
 	issue
+	license
 	release
 	repo
 	search
--- a/src/commitpkg.in
+++ b/src/commitpkg.in
@@ -155,7 +155,7 @@ if (( ${#needsversioning[*]} )); then
 		if [[ ! -f "${file}" ]]; then
 			continue
 		fi
-		if ! git ls-files --error-unmatch "$file"; then
+		if ! git ls-files --error-unmatch "$file" >/dev/null; then
 			die "%s is not under version control" "$file"
 		fi
 	done
--- a/src/lib/license/setup.sh
+++ b/src/lib/license/setup.sh
@@ -191,7 +191,9 @@ path = [
    ".nvchecker.toml",
    "*.install",
    "*.sysusers",
+    "*sysusers.conf",
    "*.tmpfiles",
+    "*tmpfiles.conf",
    "*.logrotate",
    "*.pam",
    "*.service",
--- a/src/makechrootpkg.in
+++ b/src/makechrootpkg.in
@@ -19,7 +19,7 @@ shopt -s nullglob

 default_makepkg_args=(--syncdeps --noconfirm --log --holdver --skipinteg)
 makepkg_args=("${default_makepkg_args[@]}")
-verifysource_args=()
+verifysource_args=(--syncdeps --noconfirm --log)
 chrootdir=
 passeddir=
 makepkg_user=
@@ -175,7 +175,7 @@ prepare_chroot() {
 	printf >>"$copydir/etc/passwd" 'builduser:x:%d:%d:builduser:/build:/bin/bash\n' "$builduser_uid" "$builduser_gid"
 	printf >>"$copydir/etc/shadow" 'builduser:!!:%d::::::\n' "$(( $(date -u +%s) / 86400 ))"

-	$install -d "$copydir"/{build,startdir,{pkg,srcpkg,src,log}dest}
+	$install -d "$copydir"/{build,startdir,{pkg,srcpkg,src,log}dest,verify/{gnupg,ssh}}

 	sed -e '/^MAKEFLAGS=/d' -e '/^PACKAGER=/d' -i "$copydir/etc/makepkg.conf"
 	for x in BUILDDIR=/build PKGDEST=/pkgdest SRCPKGDEST=/srcpkgdest SRCDEST=/srcdest LOGDEST=/logdest \
@@ -247,15 +247,10 @@ _chrootnamcap() {
 	done
 }

-download_sources() {
-	setup_workdir
-	chown "$makepkg_user:" "$WORKDIR"
-
+_download_sources() {
 	# Ensure sources are downloaded
-	sudo -u "$makepkg_user" --preserve-env=GNUPGHOME,SSH_AUTH_SOCK \
-		env SRCDEST="$SRCDEST" BUILDDIR="$WORKDIR" \
-		makepkg --config="$copydir/etc/makepkg.conf" --verifysource -o "${verifysource_args[@]}" ||
-		die "Could not download sources."
+	sudo -u builduser env SRCDEST="/srcdest" GNUPGHOME="/verify/gnupg" SSH_AUTH_SOCK="/verify/ssh" \
+		bash -c "cd /startdir; makepkg --config=/etc/makepkg.conf --verifysource -o ${verifysource_args[*]}"
 }

 move_logfiles() {
@@ -352,6 +347,7 @@ umask 0022
 ORIG_HOME=$HOME
 IFS=: read -r _ _ _ _ _ HOME _ < <(getent passwd "${SUDO_USER:-$USER}")
 load_makepkg_config
+DEVTOOLS_GNUPGHOME="${GNUPGHOME:-$HOME/.gnupg}"
 HOME=$ORIG_HOME

 # Use PKGBUILD directory if these don't exist
@@ -383,8 +379,6 @@ if [[ "$(id -u "$makepkg_user")" == 0 ]]; then
 	exit 1
 fi

-download_sources
-
 prepare_chroot

 nspawn_build_args=(
@@ -396,6 +390,11 @@ nspawn_build_args=(
 	"${bindmounts_tmpfs[@]}"
 )

+arch-nspawn "$copydir" \
+	"${nspawn_build_args[@]}" --bind-ro="${DEVTOOLS_GNUPGHOME//:/\\:}:/verify/gnupg" --bind-ro="${SSH_AUTH_SOCK//:/\\:}:/verify/ssh" \
+	bash -c "$(declare -f _download_sources); verifysource_args=(${verifysource_args[*]}); _download_sources" ||
+	die "Could not download sources."
+
 if arch-nspawn "$copydir" \
 	"${nspawn_build_args[@]}" \
 	/chrootbuild "${makepkg_args[@]}"
Author	SHA1	Message	Date
Vekhir --	03df8d70b6	Merge branch 'verify-in-chroot' into 'master' feat(makechrootpkg): Download and verify in chroot Closes #225 and #224 See merge request archlinux/devtools!246	2025-08-06 15:08:00 +00:00
Jakub Klinkovský	fc56ebedf3	fix(completion): fix bash completion for the license subcommand Signed-off-by: Jakub Klinkovský <lahwaacz@archlinux.org>	2025-08-05 17:48:12 +02:00
Christian Heusel	01757e6904	fix(commitpkg): Quiet git ls-files output So far all files in `needsversioning=(...)` have been printed to the command line if they were found, which is not useful, especially now that we have more files present there. It makes sense however to keep the standard error output, as this gives a actionable suggestion what one should to to fix the issue: > error: pathspec 'PKGBUILD' did not match any file(s) known to git > Did you forget to 'git add'? Fixes #281 Signed-off-by: Christian Heusel <christian@heusel.eu>	2025-08-01 11:26:57 +02:00
Daniel M. Capella	c5fe8ff3e6	feat(license): Extend matches for sysusers/tmpfiles configs Eg. to match: - sysusers.conf - $pkgname.sysusers - $pkgname.sysusers.conf	2025-07-28 23:38:32 -04:00
Vekhir	f73b0510d1	feat(src/makechrootpkg.in): Download and verify in chroot Downloading the sources and verifying them on the host system is easy and straightforward, but does have some drawbacks. Use of custom DLAGENTS for downloading might require additional tools such as curl or wget to retrieve the source. Those have to be installed on the host system; declaring them in makedepends only works when using makepkg directly. This isn't much of an issue with curl as it happens to be part of base (i.e. always installed), but wget isn't. The same applies to VCS sources. This issue became apparent rather soon, since it meant that non-git sources simply couldn't be downloaded if not installed beforehand (when using makechrootpkg). The solution for that was to make devtools depend on all VCS tools. Another recent example is the introduction of the verify() function which allows arbitrary signature verification (like minisign). Making devtools depend on all VCS tools, all download clients and all signature verifiers is hardly an appropriate solution. Instead, put the downloading and verification into the chroot where the build is sandboxed and can install all the programs it needs. Conceptually, the idea is simple: Call download_sources from within the chroot. Practically, it's more complicated because the chroot cannot directly access devtools internal functions. However, this problem isn't new, so the solution is similar to _chrootbuild. Since we are in the chroot, we don't need the BUILDDIR - we don't build anything anyhow. The config doesn't need $copydir and the die call is moved outside the function. The function is also prefixed with an underscore to show that it's being used in the chroot. We also don't preserve the environment, instead bind the GPG key directory and SSH access keys to the readonly directory /verify (same name as the verify() function). More on that below. Lastly, move the function a bit further down since the chroot needs to be ready and the nspawn_build_args defined. The ad-hoc bash command is structured like this: 1. Copy the function declaration (we can't call it directly) 2. Copy verifysource_args literally (we can't access the variable later) 3. Call _download_sources to download and verify. The call to makepkg also gets 3 new arguments: --syncdeps: to download the necessary makedepends. --noconfirm: to automatically do so. --log: to keep the new log for the verify() function. The biggest hurdle, and sortof the only drawback, is to make sure that makepkg has access to the necessary keys for verification. In particular GPG with its web of trust wants to ensure that the provided keys are trustworthy. This is normally done by importing one or several keys into the local keyring. While archlinux-keyring covers that aspect for official packages, keys for other packagers or even the user themself need to be made available within the chroot. For that purpose, the SSH_AUTH_SOCK is bind-ro to /verify/ssh and the GPG keyring to /verify/gnupg. The latter can be either set via GNUPGHOME or, as default, located at $HOME/.gnupg. $HOME within makechrootpkg.in usually refers to /root (because root user), when we need the $HOME for the makepkg user. It is retrieved when calling load_makepkg_config, so also set DEVTOOLS_GNUPGHOME to that. Drawback being that other keyrings will need the same treatment, whereas they essentially just work right now. This is not intended as a breaking change, and I don't believe it leads to breakage. download_sources is only used in makechrootpkg.in, so renaming it is fine. Shellcheck found a few issues which I corrected. No new issues remain. Tested with: genymotion (requires wget for download) libchewing (requires minisign for verify()) devtools (requires access to host GPG keys) All Haskell packages (sanity check)	2024-11-27 22:37:45 +00:00