Skip to content

aur-scan 1.0.2

Choose a tag to compare

View all tags
@HxHippy HxHippy released this 13 Jun 20:53
· 73 commits to main since this release
v1.0.2
This tag was signed with the committer’s verified signature.
HxHippy HxHippy
GPG key ID: 1132BF893C33FB51
Verified
Learn about vigilant mode.
0ab1362
This commit was signed with the committer’s verified signature.
HxHippy HxHippy
GPG key ID: 1132BF893C33FB51
Verified
Learn about vigilant mode.

aur-scan 1.0.2

A correctness and supply-chain-integrity release.

Fixed

  • PRIV-002 false positives. The SUID/SGID matcher flagged any 3-digit chmod
    mode whose first digit was 4–7, so benign chmod 755 / chmod 644 /
    install -m644 raised a critical "SUID bit" finding. It now matches only
    true special-bit modes — 4-digit octal (4755, 2755, 6755) or symbolic
    (u+s, g+s, +s) — with regression tests covering both benign and real cases.
  • Fixed an environment-fragile rule-count test that failed when a community rule
    was installed in rules.d/.

Changed — supply-chain integrity

  • The pinned packages (aur-scanner, ks-aur-scanner) now build from the
    GPG-signed git tag and verify it against our signing key
    (validpgpkeys), instead of hashing a GitHub-generated tarball. makepkg
    refuses to build if the tag signature is missing or forged.
  • Import the signing key if your AUR helper does not fetch it automatically: 
    gpg --recv-keys 25631EAE3F43999050B7D7021132BF893C33FB51

Verify this release

git verify-tag v1.0.2

Detection, dependency-tree resolution, SBOM generation, and the race-free
install path are unchanged. The scanner remains static-only — it never executes
the package it inspects.

Assets 2
Loading