Verify my first PKGBUILD, please?

StephenBrown2 · 2015-10-26 23:25:37

Hi all,

I've created a pair of PKGBUILDs for stoken, "an open source tokencode generator compatible with RSA SecurID 128-bit (AES) tokens. It is a hobbyist project, not affiliated with or endorsed by RSA Security."
More info here: http://stoken.sf.net
And the sources here: https://github.com/cernekee/stoken

PKGBUILDS: https://gist.github.com/StephenBrown2/4 … 89ed1428e2

Aside from the blank variables (I've left them in case I should fill something in that I haven't yet), what say you?

makepkg gives me a couple warnings:

libtool: install: ranlib /home/stephen/ABS/stoken/pkg/stoken//usr/lib/libstoken.a
libtool: warning: remember to run 'libtool --finish /usr/lib'
 /usr/bin/mkdir -p '/home/stephen/ABS/stoken/pkg/stoken//usr/bin'
  /bin/bash ./libtool   --mode=install /usr/bin/install -c stoken stoken-gui '/home/stephen/ABS/stoken/pkg/stoken//usr/bin'
libtool: warning: 'libstoken.la' has not been installed in '/usr/lib'
libtool: install: /usr/bin/install -c .libs/stoken /home/stephen/ABS/stoken/pkg/stoken//usr/bin/stoken
libtool: warning: 'libstoken.la' has not been installed in '/usr/lib'

But I think those are mainly because the packaging process puts them in ${pkgdir}, not /, as a listing of ${pkgdir}/usr/lib does reveal libstoken.so and associated files.

Let me know what, if anything, I should change before submitting it to the AUR!

Thanks in advance,
Stephen

Scimmia · 2015-10-27 00:33:25

makedepends=('autoconf' 'automake' 'libtool')

This is wrong. Packages in the base-devel group are assumed to be installed at build time and should not be included in the makedepends

provides=(${pkgname})

This does nothing.

The empty prepare function needs to be removed as well, but I suspect that you're including that with the blank variables

You typically don't run autogen with a release package, but I'm not sure about this software specifically.

You should be consistent with your braces when using variables. You have some that use them and some that don't. Pick a style and stick with it.

Overall, minor stuff. It looks pretty good.

Trilby · 2015-10-27 00:36:56

Scimmia wrote:

You typically don't run autogen with a release package, but I'm not sure about this software specifically.

The upstream source says only to do so if you are building from the git source rather than a versioned tarball - so in this case it should not be included.

StephenBrown2 · 2015-10-27 14:21:42

Thanks for the comments! I figured base-devel would be a legit assumption, but didn't want to make that assumption myself, so I just followed the README.

Also, the README is half-wrong. It appears that release.sh doesn't get run for the "Releases" on Github, but it is for those hosted on Sourceforge, so I'll make the source change and take out the autogen line for the non-git package.

Also, on Sourceforge there are ".asc" files. Which I presume can be used for gpg file verification. How would I work with those in the PKGBUILD?
In the release.sh, there is:

gpgkey="BC0B0D65"
...
if gpg --list-secret-keys $gpgkey >& /dev/null; then
	gpg --yes --armor --detach-sign --default-key $gpgkey $tarball
fi

But adding the .asc file as a source file results in:

==> Validating source files with md5sums...
    stoken-0.90.tar.gz ... Passed
    stoken-0.90.tar.gz.asc ... Passed
==> Verifying source file signatures with gpg...
    stoken-0.90.tar.gz ... FAILED (unknown public key 63B81599BC0B0D65)
==> ERROR: One or more PGP signatures could not be verified!

Superfluous provides, prepare, and other empty variables now removed.

As far as the braces go, I don't think I changed any of the formatting from the /usr/share/pacman/PKGBUILD*.proto template I copied from, but nonetheless, I like consistency too, so that's fixed now.

Time for round two!

Scimmia · 2015-10-27 14:40:03

re: gpg file verification, that relies on the validpgpkeys array (https://wiki.archlinux.org/index.php/PK … lidpgpkeys) and setting up you local keyring (https://wiki.archlinux.org/index.php/Ma … e_checking)

Otherwise, looks good to me.

Last edited by Scimmia (2015-10-27 14:42:38)

StephenBrown2 · 2015-10-27 15:03:56

Well, we're getting closer now. Thanks Scimmia, I'd seen that array but wasn't sure what to put there.

However, adding the public key with validpgpkeys=('63B81599BC0B0D65') gives me a new error, 'invalid public key', rather than unknown:

% makepkg     
==> Making package: stoken 0.90-1 (Tue Oct 27 09:54:16 CDT 2015)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Found stoken-0.90.tar.gz
  -> Found stoken-0.90.tar.gz.asc
==> Validating source files with md5sums...
    stoken-0.90.tar.gz ... Passed
    stoken-0.90.tar.gz.asc ... Passed
==> Verifying source file signatures with gpg...
    stoken-0.90.tar.gz ... FAILED (invalid public key 45DFF2D5205FE8CD74C2EE6C63B81599BC0B0D65)
==> ERROR: One or more PGP signatures could not be verified!

gpg --search-keys turns up nothing:

% gpg --search-keys 45DFF2D5205FE8CD74C2EE6C63B81599BC0B0D65
gpg: error searching keyserver: No data
gpg: keyserver search failed: No data

And I'd already imported 63B81599BC0B0D65 with --search-keys before

% gpg --recv-keys 63B81599BC0B0D65
gpg: key BC0B0D65: "Kevin Cernekee <cernekee@gmail.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

Last edited by StephenBrown2 (2015-10-27 15:05:25)

Scimmia · 2015-10-27 15:08:16

And if you put the fingerprint in validpgpkeys instead of the keyid?

StephenBrown2 · 2015-10-27 15:11:22

If the fingerprint is "63B81599BC0B0D65", then yes. If it's "BC0B0D65", then no.

Though, both return the same thing when I run gpg --list-keys:

% gpg --list-keys --fingerprint 63B81599BC0B0D65
pub   rsa4096/BC0B0D65 2012-11-17
      Key fingerprint = 45DF F2D5 205F E8CD 74C2  EE6C 63B8 1599 BC0B 0D65
uid         [ unknown] Kevin Cernekee <cernekee@gmail.com>
sub   rsa4096/B601BA13 2012-11-17

% gpg --list-keys --fingerprint BC0B0D65        
pub   rsa4096/BC0B0D65 2012-11-17
      Key fingerprint = 45DF F2D5 205F E8CD 74C2  EE6C 63B8 1599 BC0B 0D65
uid         [ unknown] Kevin Cernekee <cernekee@gmail.com>
sub   rsa4096/B601BA13 2012-11-17

StephenBrown2 · 2015-10-27 15:15:07

Wait... reading my own post there..

Is "45DF F2D5 205F E8CD 74C2 EE6C 63B8 1599 BC0B 0D65" what's supposed to go in validpgpkeys?

Gonna try that. brb

EDIT:
Aha, silly me. It was choking on the fingerprint, because obviously that's not a valid key.

gist updated one more time... and then to run mksrcinfo and submit!

Last edited by StephenBrown2 (2015-10-27 15:26:41)

Scimmia · 2015-10-27 15:15:17

See where that output says "Key fingerprint"? That's the fingerprint.

Please read the first link in my previous post.

Last edited by Scimmia (2015-10-27 15:16:19)

StephenBrown2 · 2015-10-27 15:31:11

Yeah, I'd read it before, but apparently was blind to the output. Caught it now though.

Thanks for all the help!

Arch Linux

#1 2015-10-26 23:25:37

Verify my first PKGBUILD, please?

#2 2015-10-27 00:33:25

Re: Verify my first PKGBUILD, please?

#3 2015-10-27 00:36:56

Re: Verify my first PKGBUILD, please?

#4 2015-10-27 14:21:42

Re: Verify my first PKGBUILD, please?

#5 2015-10-27 14:40:03

Re: Verify my first PKGBUILD, please?

#6 2015-10-27 15:03:56

Re: Verify my first PKGBUILD, please?

#7 2015-10-27 15:08:16

Re: Verify my first PKGBUILD, please?

#8 2015-10-27 15:11:22

Re: Verify my first PKGBUILD, please?

#9 2015-10-27 15:15:07

Re: Verify my first PKGBUILD, please?

#10 2015-10-27 15:15:17

Re: Verify my first PKGBUILD, please?

#11 2015-10-27 15:31:11

Re: Verify my first PKGBUILD, please?

Board footer