dev-util/google-antigravity: try making verify-sig more maintainable and fix misc. errors#419
Closed
gonsoos wants to merge 2 commits intogentoo:devfrom
Closed
dev-util/google-antigravity: try making verify-sig more maintainable and fix misc. errors#419gonsoos wants to merge 2 commits intogentoo:devfrom
gonsoos wants to merge 2 commits intogentoo:devfrom
Conversation
* Replace sha256sum --check --strict with verify-sig_unsigned_checksums.
Use the fact that verify-sig_unsigned_checksums in sha256 mode ignores
any line in <checksum-file>
- that doesn't match the expected format "${checksum} ${filename}".
- whose ${filename} wasn't passed as an argument.
With that knowledge, we fix the format only for the arguments of
verify-sig_unsigned_checksums only for that line.
* Check pipe status with eapi9-pipestatus instead of die.
Fixes: 24744c6
Signed-off-by: Lucio Sauer <watermanpaint@posteo.net>
* Add ${PV} to sources.
Fixes: b68be6e
Signed-off-by: Lucio Sauer <watermanpaint@posteo.net>
falbrechtskirchinger
approved these changes
Jan 17, 2026
Contributor
falbrechtskirchinger
left a comment
falbrechtskirchinger
left a comment
There was a problem hiding this comment.
Thanks for the improvements! LGTM.
| VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/google-artifact-registry.asc | ||
|
|
||
| inherit chromium-2 optfeature pax-utils unpacker verify-sig xdg | ||
| inherit eapi9-pipestatus chromium-2 optfeature pax-utils unpacker verify-sig xdg |
Contributor
There was a problem hiding this comment.
Thanks for the reminder!
Comment on lines
+100
to
+111
| verify-sig_verify_message InRelease - \ | ||
| | sed "s,[0-9]\+ main/binary-${ARCH}.*,Packages.${ARCH}," \ | ||
| | verify-sig_verify_unsigned_checksums - sha256 Packages.${ARCH} | ||
| pipestatus || die | ||
|
|
||
| cd "${DISTDIR}" > /dev/null || die | ||
| local BUILD_ID_ARCH=BUILD_ID_${ARCH^^} | ||
| sed -n "/^Version: ${PV}-${!BUILD_ID_ARCH}/,/^SHA256:/p" \ | ||
| "${WORKDIR}/Packages.${ARCH}" \ | ||
| | sed "s,^SHA256: \(.*\),\1 ${P}_${ARCH}.deb," \ | ||
| | verify-sig_verify_unsigned_checksums - sha256 ${P}_${ARCH}.deb | ||
| pipestatus || die |
Contributor
There was a problem hiding this comment.
That is a lot simpler. 👍
| SRC_URI=" | ||
| amd64? ( ${BASE_SRC_URI}/antigravity_${PV}-${BUILD_ID_AMD64}_amd64_${DEB_HASH_AMD64}.deb -> ${P}_amd64.deb ) | ||
| arm64? ( ${BASE_SRC_URI}/antigravity_${PV}-${BUILD_ID_ARM64}_arm64_${DEB_HASH_ARM64}.deb -> ${P}_arm64.deb ) | ||
| verify-sig? ( https://home.cit.tum.de/~salu/distfiles/${P}-verify-sig.tar.xz ) |
Contributor
There was a problem hiding this comment.
I was hoping to get away with hosting these inside FILESDIR for a few releases. I plan to automate the verify-sig tarball generation and release notifications in the coming weeks or months. My only concern is handling any new releases in the interim.
Contributor
Author
There was a problem hiding this comment.
Some contributors host tarballs in a GitHub repo. In the meantime, I can also host these for you.
gentoo-bot
pushed a commit
that referenced
this pull request
Jan 17, 2026
* Replace sha256sum --check --strict with verify-sig_unsigned_checksums.
Use the fact that verify-sig_unsigned_checksums in sha256 mode ignores
any line in <checksum-file>
- that doesn't match the expected format "${checksum} ${filename}".
- whose ${filename} wasn't passed as an argument.
With that knowledge, we fix the format only for the arguments of
verify-sig_unsigned_checksums only for that line.
* Check pipe status with eapi9-pipestatus instead of die.
Fixes: 24744c6
Part-of: #419
Acked-by: Florian Albrechtskirchinger <falbrechtskirchinger@gmail.com>
Signed-off-by: Lucio Sauer <watermanpaint@posteo.net>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
@falbrechtskirchinger Thank you for your efforts on the package! I fixed the following issues:
verify-sigfunctionality hard to read and there was potential to simplify it by using eclass functions.|| die.Please take a look at the commit messages for more context. What do you think?
Fixes: 24744c6
Fixes: b68be6e