You are not logged in.
Since sha256sums are preferred (I assume) why doesn't updpkgsums generate them?
The wiki says,
The checksums can also be obtained with e.g sha256sum and added to the sha256sums array by hand.
With an automated tool (updpkgsums) already available and the code seemingly supporting multiple hash algorithms, I don't understand this need to do it by hand.
I see the code for updpkgsums contains an array named "known_hash_algos" and it also sources "source "$LIBRARY"/util/schema.sh" which defines:
known_hash_algos=({md5,sha{1,224,256,384,512},b2})
Given this, I don't understand why updpkgsums doesn't generate sha256sums.
Last edited by MountainX (2020-10-27 06:21:25)
Offline
Edit: In /etc/makepkg.conf (or your user-local config) you can specify the preferred method in INTEGRITY_CHECK.
It also works if the sha256sums array already exists:
pkgname=test
pkgver=1
pkgrel=1
source=(http://example.com https://archlinux.org)
sha256sums=(.)
package() {
/bin/true
}
Last edited by progandy (2020-10-24 20:09:17)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
It also works if the sha256sums array already exists:
sha256sums=(.)
I had tried this (without the dot) and it did not work:
sha256sums=()
I will try your two suggestions. Thanks.
Offline
updpkgsums uses makepkg --geninteg to generate the checksums, but uses known_hash_algos to find the old checksums and delete them to re-add them in-place.
makepkg supports and regenerates all known_hash_algos but defaults to the configuration value INTEGRITY_CHECK if the PKGBUILD has none currently defined (and an empty array does not define any checksums, hence the dot).
INTEGRITY_CHECK in the stock makepkg.conf defaults to CRC (formerly md5), partly as a statement that they only provide protection against network download corruption and aren't really a security measure.
Though personally, I do believe it provides a valuable Trust on First Use protection...
Managing AUR repos The Right Way -- aurpublish (now a standalone tool)
Offline
updpkgsums uses makepkg --geninteg to generate the checksums, but uses known_hash_algos to find the old checksums and delete them to re-add them in-place.
makepkg supports and regenerates all known_hash_algos but defaults to the configuration value INTEGRITY_CHECK if the PKGBUILD has none currently defined (and an empty array does not define any checksums, hence the dot).
INTEGRITY_CHECK in the stock makepkg.conf defaults to CRC (formerly md5), partly as a statement that they only provide protection against network download corruption and aren't really a security measure.
Though personally, I do believe it provides a valuable Trust on First Use protection...
Impressive answer. Thanks for sharing all that knowledge. Should the wiki page be updated with some or all of that info? Currently, the wiki page is a bit misleading as it gives the impression sha256sums have to be added "by hand".
I'm happy to update the wiki page, but I'm not sure how much of that info to put there. I would probably put all of it.
EDIT: I edited the wiki and linked to eschwartz's forum post above.
Last edited by MountainX (2020-10-25 01:11:21)
Offline
progandy wrote:It also works if the sha256sums array already exists:
sha256sums=(.)
I had tried this (without the dot) and it did not work:
sha256sums=()
I will try your two suggestions. Thanks.
Even with the dot, I don't get sha256sums from "updpkgsums".
sha256sums=(.)
I know I can also edit /etc/makepkg.conf to specify my preferred method in INTEGRITY_CHECK, but I'm curious why the above method doesn't work.
Offline
Wild guess: does the length of the array need to match the length of the source array? If this is the same package you've been posting about in other threads, perhaps there should be three dots:
sha256sums=(. . .)
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
Wild guess: does the length of the array need to match the length of the source array? If this is the same package you've been posting about in other threads, perhaps there should be three dots:
sha256sums=(. . .)
Thanks for the idea. I'll test that. I'm working on several different packages. This one has only 2 files.
Offline
The get_integlist function from /usr/share/makepkg/util/pkgbuild.sh does this, by checking each known hash algo, computing the desired array name, and checking if e.g. ${sha256sums[@]} is non-empty via [[ -n ]].
The single dot works for me. makepkg --geninteg does not care if "Integrity checks (%s) differ in size from the source array." since it overwrites it anyway -- only makepkg --verifysource does care.
Last edited by eschwartz (2020-10-25 01:38:29)
Managing AUR repos The Right Way -- aurpublish (now a standalone tool)
Offline
I'm still having trouble generating sums for source files. (I can generate them for built packages.)
/etc/makepkg.conf
INTEGRITY_CHECK=(sha256)
PKGBUILD
source=("git+${url}")
sha256sums=(.)
I run the following command in the same directory as the PKGBUILD. The source files are in a subdirectory named "src".
$ makepkg --geninteg
==> Retrieving sources...
==> Generating checksums for source files...
sha256sums=('SKIP')
As a sanity check:
$ sha256sum PKGBUILD
df77f7e511c1210b42f635ad6b64fef048a58793f306abfbfce1b4ad82c062f9 PKGBUILD
I can generate sha256sum for any individual files by hand.
Why does updpkgsums or "makepkg -g" generate sha256sums=('SKIP')?
Any suggestions for what I can check next?
Last edited by MountainX (2020-10-25 19:48:45)
Offline
Well, it is correctly generating the array...
OTOH, git clone directories cannot be checksummed, how do you propose to checksum a directory? SKIP is intentionally meaningful there.
You can use special pinned sources, though. source=("git+${url}#commit=<sha1>")
Last edited by eschwartz (2020-10-25 19:49:26)
Managing AUR repos The Right Way -- aurpublish (now a standalone tool)
Offline
OTOH, git clone directories cannot be checksummed, how do you propose to checksum a directory? SKIP is intentionally meaningful there.
I had assumed it would descend into the source directory and generate sums for each source file. I see that assumption was wrong.
I see a lot of AUR packages with sums for each source file. I assume the developers don't generate those sums for each file by hand. What is the normal workflow? It seems I am missing something basic.
Also, is the order in which the sums are listed in the array important?
Offline
I see a lot of AUR packages with sums for each source file. I assume the developers don't generate those sums for each file by hand. What is the normal workflow? It seems I am missing something basic.
Each entry in the source-array has exactly one checksum (or SKIP if no checksum is necessary/possible). If a source is a VCS like git, mercurial (hg), or svn, then no checksum can be generated. It is assumed, that the contents are dynamic and each vcs refresh can result in different data.
Also, is the order in which the sums are listed in the array important?
Yes. They are in the same order as the source files.
INTEGRITY_CHECK in the stock makepkg.conf defaults to CRC (formerly md5), partly as a statement that they only provide protection against network download corruption and aren't really a security measure.
That change must be still unreleased, makepkg in pacman 5.2.2 still defaults to md5.
Last edited by progandy (2020-10-25 21:27:50)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
Correct, the CRC addition (specifically cksums=() array powered by /usr/bin/cksum) and change of defaults will ship with the pacman 6 release.
Managing AUR repos The Right Way -- aurpublish (now a standalone tool)
Offline
Thanks for all the replies here.
Offline