With two integrity check methods available (checksums and pgp
signatures) it should be possible to skip only one of them.
When checksums are disabled and the public key of one source file
signature is unknown, stop the build process.
---
doc/makepkg.8.txt | 3 +++
scripts/makepkg.sh.in | 8 ++++++--
2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/doc/makepkg.8.txt b/doc/makepkg.8.txt
index bc1ffc1..b032fd4 100644
--- a/doc/makepkg.8.txt
+++ b/doc/makepkg.8.txt
@@ -90,6 +90,9 @@ Options
*--skippgpcheck*::
Do not verify PGP signatures of the source files.

+*--skipchecksums*::
+ Do not verify source files with checksums.
+
*-h, --help*::
Output syntax and command line options.

diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
index 20ba431..b28c702 100644
--- a/scripts/makepkg.sh.in
+++ b/scripts/makepkg.sh.in
@@ -58,6 +58,7 @@ INFAKEROOT=0
GENINTEG=0
SKIPINTEG=0
SKIPPGPCHECK=0
+SKIPCHECKSUMS=0
INSTALL=0
NOBUILD=0
NODEPS=0
@@ -631,6 +632,7 @@ generate_checksums() {

check_checksums() {
(( ! ${#source[@]} )) && return 0
+ (( SKIPCHECKSUMS )) && return 0

local correlation=0
local integ required
@@ -719,7 +721,7 @@ check_pgpsigs() {
if ! gpg --quiet --batch --status-file "$statusfile" --verify "$file" "$sourcefile" 2> /dev/null; then
if grep "NO_PUBKEY" "$statusfile" > /dev/null; then
echo "$(gettext "Warning: Unknown public key") $(awk '/NO_PUBKEY/ {print $3}' $statusfile)" >&2
- warnings=1
+ (( SKIPCHECKSUMS )) && errors=1 || warnings=1
else
echo "$(gettext "FAILED")" >&2
errors=1
@@ -1802,6 +1804,7 @@ usage() {
printf "$(gettext " --sign Sign the resulting package with %s")
" "gpg"
echo "$(gettext " --skipinteg Do not fail when integrity checks are missing")"
echo "$(gettext " --skippgpcheck Do not verify source files with pgp signatures")"
+ echo "$(gettext " --skipchecksums Do not verify source files with checksums")"
echo "$(gettext " --source Generate a source-only tarball without downloaded sources")"
echo
printf "$(gettext "These options can be passed to %s:")
" "pacman"
@@ -1840,7 +1843,7 @@ OPT_LONG+=",noextract,force,forcever:,geninteg,hel p,holdver,skippgpcheck"
OPT_LONG+=",install,key:,log,nocolor,nobuild,noche ck,nosign,pkg:,rmdeps"
OPT_LONG+=",repackage,skipinteg,sign,source,syncde ps,version,config:"
# Pacman Options
-OPT_LONG+=",noconfirm,noprogressbar"
+OPT_LONG+=",noconfirm,noprogressbar,skipchecksums "
OPT_TEMP="$(parse_options $OPT_SHORT $OPT_LONG "$@" || echo 'PARSE_OPTIONS FAILED')"
if [[ $OPT_TEMP = *'PARSE_OPTIONS FAILED'* ]]; then
# This is a small hack to stop the script bailing with 'set -e'
@@ -1879,6 +1882,7 @@ while true; do
-o|--nobuild) NOBUILD=1 ;;
-p) shift; BUILDFILE=$1 ;;
--skippgpcheck) SKIPPGPCHECK=1;;
+ --skipchecksums) SKIPCHECKSUMS=1;;
--pkg) shift; PKGLIST=($1) ;;
-r|--rmdeps) RMDEPS=1 ;;
-R|--repackage) REPKG=1 ;;
--
1.7.6

On 06/07/11 21:02, Wieland Hoffmann wrote:

With two integrity check methods available (checksums and pgp
signatures) it should be possible to skip only one of them.


There were a few more places in makepkg where this needed some more
attention so I took this patch and added to it. It will soon follow to
the list.



When checksums are disabled and the public key of one source file
signature is unknown, stop the build process.


I removed this as I do not like the behaviour of signature checking to
change based on a flag for another check type.


Allan

Hallo, Allan McRae:
> I removed this as I do not like the behaviour of signature checking
> to change based on a flag for another check type.

Then it should be mentioned in the manpage that disabling the checksum
checks leads to disabling integrity checks completely if the user does
not have the public key that signed the sources in his keyring.