On 06/03/18 01:36, Eli Schwartz wrote:
> In commit c6b04c04653ba9933fe978829148312e412a9ea7 package signing was
> moved out of fakeroot, and as part of this process, the global pkgname
> variable was modified in order to extract the built package names.
> 
> However, if a debug package was not available and added to the list of
> packages, the function was aborted early, before the pkgname array was
> restored, thereby corrupting the later stages of makepkg and
> specifically the install_package function which needs to know which
> pkgnames to install.
> 
> Fix this by inlining the debug package signing inside the `if` check,
> and as added security switch to using `for pkg in "${pkgname[@]}"` as is
> done in many other parts of makepkg, since package signing does not
> depend on the value of pkgname for anything.
> 
> Signed-off-by: Eli Schwartz <eschwa...@archlinux.org>
> ---
>  .../libmakepkg/integrity/generate_signature.sh.in    | 20 
> ++++++++------------
>  1 file changed, 8 insertions(+), 12 deletions(-)
> 
> diff --git a/scripts/libmakepkg/integrity/generate_signature.sh.in 
> b/scripts/libmakepkg/integrity/generate_signature.sh.in
> index 8bb69984..c8b938ab 100644
> --- a/scripts/libmakepkg/integrity/generate_signature.sh.in
> +++ b/scripts/libmakepkg/integrity/generate_signature.sh.in
> @@ -50,28 +50,24 @@ create_package_signatures() {
>       if [[ $SIGNPKG != 'y' ]]; then
>               return 0
>       fi
> -     local pkgarch pkg_file
> +     local pkg pkgarch pkg_file
>       local pkgname_backup=("${pkgname[@]}")

This variable is no longer needed.

>       local fullver=$(get_full_version)
>  
>       msg "$(gettext "Signing package(s)...")"
>  
> -     for pkgname in ${pkgname_backup[@]}; do
> -             pkgarch=$(get_pkg_arch $pkgname)
> -             pkg_file="$PKGDEST/${pkgname}-${fullver}-${pkgarch}${PKGEXT}"
> +     for pkg in "${pkgname[@]}"; do
> +             pkgarch=$(get_pkg_arch $pkg)
> +             pkg_file="$PKGDEST/${pkg}-${fullver}-${pkgarch}${PKGEXT}"
>  
>               create_signature "$pkg_file"
>       done
>  
>       # check if debug package needs a signature
>       if ! check_option "debug" "y" || ! check_option "strip" "y"; then
> -             return
> +             pkg=$pkgbase-@DEBUGSUFFIX@
> +             pkgarch=$(get_pkg_arch)
> +             pkg_file="$PKGDEST/${pkg}-${fullver}-${pkgarch}${PKGEXT}"

We should check this file exists.   The create_signature function will
still fail when the package is not there, which can happen if there is
no binaries in the package. (e.g. arch=any packages).

> +             create_signature "$pkg_file"
>       fi
> -
> -     pkgname=$pkgbase-@DEBUGSUFFIX@
> -     pkgarch=$(get_pkg_arch)
> -     pkg_file="$PKGDEST/${pkgname}-${fullver}-${pkgarch}${PKGEXT}"
> -     create_signature "$pkg_file"
> -
> -     pkgname=("${pkgname_backup[@]}")
>  }
> 

Reply via email to