You are not logged in.

#1 2022-01-08 17:14:06

priorit
Member
Registered: 2008-12-23
Posts: 15

[SOLVED] Hash verification of git-tag checkout

I would like to create a package that checks out a versioned tag of a repository.
I can use the following syntax to get that tag:

source=("git+https://github.com/xxx/${_gitname}.git#tag=v${pkgver}")
sha256sums=('SKIP')

However, this doesn't guarantee that every build is the same, as the tag could be changed by the owners of the repository.
Ideally, I would like to put the commit-sha as checksum, so that makepkg could verify that I ended up with the correct commit.

Is there a way to do this nicely?

Last edited by priorit (2022-01-09 16:18:39)

Offline

#2 2022-01-08 17:17:30

WorMzy
Forum Moderator
From: Scotland
Registered: 2010-06-16
Posts: 10,565
Website

Re: [SOLVED] Hash verification of git-tag checkout

Use the commit fragment instead of tag.

https://man.archlinux.org/man/core/pacm … CS_SOURCES


Sakura:-
Mobo: MSI MEG B550 UNIFY // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD

Making lemonade from lemons since 2015.

Offline

#3 2022-01-09 16:18:16

priorit
Member
Registered: 2008-12-23
Posts: 15

Re: [SOLVED] Hash verification of git-tag checkout

I would have preferred to use the tag in the checkout and use the commit as a checksum (ideally letting `makepkg -g` update the commit-hash).

Doesn't seem to exist yet, so using `commit` is probably the next best thing.

Offline

#4 2022-01-09 16:26:36

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 26,169
Website

Re: [SOLVED] Hash verification of git-tag checkout

I feel like I must be missing something.  Why would you want to use a checkout url that can sometimes get you something other than what you intended and add steps to detect when this failure occurred rather than using a checkout url that will consistently get you exactly what you intended?


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Online

#5 2022-01-09 16:30:32

progandy
Member
Registered: 2012-05-17
Posts: 4,760

Re: [SOLVED] Hash verification of git-tag checkout

By the way, here is a command to quickly get the commit id of a tag:

url="https://github.com/torvalds/linux/"
tag="v5.15"
git ls-remote -q --tags "$url" "$tag" | cut -f1

| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#6 2022-01-09 17:43:50

priorit
Member
Registered: 2008-12-23
Posts: 15

Re: [SOLVED] Hash verification of git-tag checkout

Trilby wrote:

Why would you want to use a checkout url that can sometimes get you something other than what you intended and add steps to detect when this failure occurred rather than using a checkout url that will consistently get you exactly what you intended?

When packaging a version I want to download the Git sources that are tagged with that version number. That's the intent and that's how I would like to write it. It is also less error-prone as I can't accidentally put the wrong commit in my PKGBUILD.

Furthermore, having a source of the form "git+https://github.com/xxx/${_gitname}.git#tag=v${pkgver}" means that I only need to update the pkgver at the top, which simplifies maintenance of the package. If makepkg could update the hash (-g) then publishing an updated package would be as simple as for normal source packages.

Offline

#7 2022-01-09 18:50:52

progandy
Member
Registered: 2012-05-17
Posts: 4,760

Re: [SOLVED] Hash verification of git-tag checkout

You can write your own packaging helpers. Here is a quick script to do the job for a PKGBUILD that has _tag, _repo, and _commit variables. You could get even fancier and have a script that takes the new version number as a parameter or even fetches it automatically from some upstream announcement or so.

#!/bin/bash

function die() {
	echo "$@"
	exit 1
}

[ -f PKGBUILD ] || die "Could not find PKGBUILD"

tag="$(sed -n 's/^_tag="\?\([^"]*\)"\?.*$/\1/p' PKGBUILD)"
repo="$(sed -n 's/^_repo="\?\([^"]*\)"\?.*$/\1/p' PKGBUILD)"

commit="$(git ls-remote -q --tags "$repo" "$tag" | cut -f1 | tr -cd a-zA-Z0-9 )"

if [[ -z $commit ]] ; then
	die "could not find commit id for tag $tag on $repo"
else
	sed -i "s/^_commit=.*$/_commit=$commit/" PKGBUILD
	updpkgsums
fi
pkgname=example
url="https://example.com"
_tag="v5.15"
_repo="https://github.com/torvalds/linux.git"
_commit=ABh84jdi58hjzh3
# create version from git tag
pkgver="${_tag#v}"
pkgrel=1
source=("git+$_repo#commit=$_commit")
sha256sums=('SKIP')
# [...]
echo "debug output for testing" >&2
echo "pkgver: $pkgver" >&2
echo "source: ${source[@]}" >&2
# package(), bulid(), ... comes here

Last edited by progandy (2022-01-09 18:54:40)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#8 2022-01-09 19:13:36

priorit
Member
Registered: 2008-12-23
Posts: 15

Re: [SOLVED] Hash verification of git-tag checkout

Thanks. I think that's what I'm going to do.

If others think that supporting git hashes directly in makepkg would be a good idea, I could have a look at that as well.

Offline

Board footer

Powered by FluxBB