.TH "alpm-package-source-checksum" 7 .SH "NAME" .PP package source checksum \- a checksum to verify the integrity of a package source used for building an ALPM based package\. .SH "DESCRIPTION" .PP ALPM based packages may be built using \fBpackage sources\fP and for each of them at least one valid \fBpackage source checksum\fP must exist to be able to verify the integrity of the source\. .PP Analogous to \fBpackage sources\fP, \fBpackage source checksums\fP may be specified in a generic or an architecture\-specific way\. .PP The value of a \fBpackage source checksum\fP is either the output of a \fBhash function\fP[1], or the special string 'SKIP', which indicates that no checksum verification should be done for a given source\. .PP The following \fBhash functions\fP[1] are supported: .RS .Bl .IP \(bu 4 \fBMD5\fP[2] .El .Bl .IP \(bu 4 \fBSHA\-1\fP[3] .El .Bl .IP \(bu 4 \fBSHA\-224\fP (part of the \fBSHA\-2\fP [4] family) .El .Bl .IP \(bu 4 \fBSHA\-256\fP (part of the \fBSHA\-2\fP [4] family) .El .Bl .IP \(bu 4 \fBSHA\-384\fP (part of the \fBSHA\-2\fP [4] family) .El .Bl .IP \(bu 4 \fBSHA\-512\fP (part of the \fBSHA\-2\fP [4] family) .El .Bl .IP \(bu 4 \fBBLAKE2\fP[5] .El .RE .PP If several \fBpackage source checksums\fP exist for a \fBpackage source\fP, they must use distinct \fBhash functions\fP (e\.g\. \fBSHA\-512\fP and \fBBLAKE2\fP)\. The number of \fBpackage source checksums\fP in each \fBhash function\fP category must always match the number of available \fBpackage sources\fP\. .PP In \fBPKGBUILD\fP files a \fBpackage source checksum\fP is defined by adding a value to one of the following arrays: .RS .Bl .IP \(bu 4 md5sums (\fBhash function\fP: \fBMD5\fP) .El .Bl .IP \(bu 4 sha1sums (\fBhash function\fP: \fBSHA\-1\fP) .El .Bl .IP \(bu 4 sha224sums (\fBhash function\fP: \fBSHA\-224\fP) .El .Bl .IP \(bu 4 sha256sums (\fBhash function\fP: \fBSHA\-256\fP) .El .Bl .IP \(bu 4 sha384sums (\fBhash function\fP: \fBSHA\-384\fP) .El .Bl .IP \(bu 4 sha512sums (\fBhash function\fP: \fBSHA\-512\fP) .El .Bl .IP \(bu 4 b2sums (\fBhash function\fP: \fBBLAKE2\fP) .El .RE .PP Each array exclusively accepts output of the respective \fBhash function\fP or the special string 'SKIP' as value\. .PP Alternatively, any of the above array names, directly followed by an underscore character ("_"), directly followed by an \fBalpm\-architecture\fP (all except `\f[CR]any\fP`) may be used to define a source checksum for a specific architecture (e\.g\. `\f[CR]b2sums_aarch64\fP`)\. .PP In \fBSRCINFO\fP files a package source checksum is defined by assigning one of the following keywords a value: .RS .Bl .IP \(bu 4 md5sums (\fBhash function\fP: \fBMD5\fP) .El .Bl .IP \(bu 4 sha1sums (\fBhash function\fP: \fBSHA\-1\fP) .El .Bl .IP \(bu 4 sha224sums (\fBhash function\fP: \fBSHA\-224\fP) .El .Bl .IP \(bu 4 sha256sums (\fBhash function\fP: \fBSHA\-256\fP) .El .Bl .IP \(bu 4 sha384sums (\fBhash function\fP: \fBSHA\-384\fP) .El .Bl .IP \(bu 4 sha512sums (\fBhash function\fP: \fBSHA\-512\fP) .El .Bl .IP \(bu 4 b2sums (\fBhash function\fP: \fBBLAKE2\fP) .El .RE .PP Each keyword assignment exclusively accepts output of the respective \fBhash function\fP or the special string 'SKIP' as value\. .PP Alternatively, any of the above keywords, directly followed by an underscore character ("_"), directly followed by an \fBalpm\-architecture\fP (all except `\f[CR]any\fP`) may be used to define a source checksum for a specific architecture (e\.g\. `\f[CR]b2sums_aarch64\fP`)\. .SH "EXAMPLES" .SS "Remote source with checksums" .PP The above \fBPKGBUILD\fP example defines a \fBpackage source\fP setup in which a remote source is verified using a \fBSHA\-512\fP and a \fBBLAKE2\fP hash\. The checksum verification for the OpenPGP signature is skipped using the `\f[CR]SKIP\fP` string\. .RS .PP .nf pkgname=example pkgver=0\.1\.0 pkgrel=1 pkgdesc="A package example" arch=(x86_64) url="https://example\.org" license=(GPL\-3\.0\-or\-later) makedepends=(meson) depends=( gcc\-libs glibc ) source=($pkgname\-$pkgver\.tar\.gz::https://download\.example\.org/$pkgname\-v$pkgver\.tar\.gz{,\.sig}) sha512sums=( 0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6 'SKIP' ) b2sums=( d202d7951df2c4b711ca44b4bcc9d7b363fa4252127e058c1a910ec05b6cd038d71cc21221c031c0359f993e746b07f5965cf8c5c3746a58337ad9ab65278e77 'SKIP' ) validpgpkeys=(988881ADC9FC3655077DC2D4D757D480B5EA0E11) build() { meson setup \-\-prefix /usr $pkgname\-$pkgver build meson compile \-C build } package(){ meson install \-C build \-\-destdir "$pkgdir" } .fi .RE .PP The \fBPKGBUILD\fP is represented by the following \fBSRCINFO\fP: .RS .PP .nf pkgbase = example pkgdesc = A package example pkgver = 0\.1\.0 pkgrel = 1 url = https://example\.org arch = x86_64 license = GPL\-3\.0\-or\-later makedepends = meson depends = gcc\-libs depends = glibc source = example\-0\.1\.0\.tar\.gz::https://download\.example\.org/example\-v0\.1\.0\.tar\.gz sha512sums = 0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6 sha512sums = SKIP b2sums = d202d7951df2c4b711ca44b4bcc9d7b363fa4252127e058c1a910ec05b6cd038d71cc21221c031c0359f993e746b07f5965cf8c5c3746a58337ad9ab65278e77 b2sums = SKIP pkgname = example .fi .RE .SS "Remote source with checksums for several architectures" .PP The below \fBPKGBUILD\fP example defines a \fBpackage source\fP setup in which two remote sources are verified using a \fBSHA\-512\fP and a \fBBLAKE2\fP hash each\. One source is exclusively used on the \fBx86_64\fP and the other exclusively on the \fBaarch64\fP architecture\. .RS .PP .nf pkgname=example pkgver=0\.1\.0 pkgrel=1 pkgdesc="A package example" arch=( aarch64 x86_64 ) url="https://example\.org" license=(GPL\-3\.0\-or\-later) makedepends=(meson) depends=( gcc\-libs glibc ) source_aarch64=( $pkgname\-$pkgver\.tar\.gz::https://download\.example\.org/$pkgname\-aarch64\-v$pkgver\.tar\.gz ) source_x86_64=( $pkgname\-$pkgver\.tar\.gz::https://download\.example\.org/$pkgname\-x86_64\-v$pkgver\.tar\.gz ) sha512sums_aarch64=( cc06808cbbee0510331aa97974132e8dc296aeb795be229d064bae784b0a87a5cf4281d82e8c99271b75db2148f08a026c1a60ed9cabdb8cac6d24242dac4063 ) sha512sums_x86_64=( 0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6 ) b2sums_aarch64=( a69cc58858cb37cf8da7f83f55c23f171ee3c59be76ad7edcf01dec36fd9d0104bb433cd863ee3f0b6a10a336cf2400688c57fd99392dc01c4585d8725547e8c ) b2sums_x86_64=( d202d7951df2c4b711ca44b4bcc9d7b363fa4252127e058c1a910ec05b6cd038d71cc21221c031c0359f993e746b07f5965cf8c5c3746a58337ad9ab65278e77 ) build() { meson setup \-\-prefix /usr $pkgname\-$pkgver build meson compile \-C build } package(){ meson install \-C build \-\-destdir "$pkgdir" } .fi .RE .PP The following \fBSRCINFO\fP is generated from the \fBPKGBUILD\fP: .RS .PP .nf pkgbase = example pkgdesc = A package example pkgver = 0\.1\.0 pkgrel = 1 url = https://example\.org arch = aarch64 arch = x86_64 license = GPL\-3\.0\-or\-later makedepends = meson depends = gcc\-libs depends = glibc source_aarch64 = example\-0\.1\.0\.tar\.gz::https://download\.example\.org/example\-aarch64\-v0\.1\.0\.tar\.gz sha512sums_aarch64 = cc06808cbbee0510331aa97974132e8dc296aeb795be229d064bae784b0a87a5cf4281d82e8c99271b75db2148f08a026c1a60ed9cabdb8cac6d24242dac4063 b2sums_aarch64 = a69cc58858cb37cf8da7f83f55c23f171ee3c59be76ad7edcf01dec36fd9d0104bb433cd863ee3f0b6a10a336cf2400688c57fd99392dc01c4585d8725547e8c source_x86_64 = example\-0\.1\.0\.tar\.gz::https://download\.example\.org/example\-x86_64\-v0\.1\.0\.tar\.gz sha512sums_x86_64 = 0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6 b2sums_x86_64 = d202d7951df2c4b711ca44b4bcc9d7b363fa4252127e058c1a910ec05b6cd038d71cc21221c031c0359f993e746b07f5965cf8c5c3746a58337ad9ab65278e77 pkgname = example .fi .RE .SH "SEE ALSO" .PP \fBPKGBUILD\fP(5), \fBSRCINFO\fP(5), \fBalpm\-architecture\fP(7), \fBalpm\-package\-source\fP(7), \fBmakepkg\fP(8) .SH "NOTES" .RS .Bl .IP 1. 4 \fBhash function\fP .El .RE .PP https://en\.wikipedia\.org/wiki/Hash_function .RS .Bl .IP 2. 4 \fBMD5\fP .El .RE .PP https://en\.wikipedia\.org/wiki/MD5 .RS .Bl .IP 3. 4 \fBSHA\-1\fP .El .RE .PP https://en\.wikipedia\.org/wiki/SHA\-1 .RS .Bl .IP 4. 4 \fBSHA\-2\fP .El .RE .PP https://en\.wikipedia\.org/wiki/SHA\-2 .RS .Bl .IP 5. 4 \fBBLAKE2\fP .El .RE .PP https://en\.wikipedia\.org/wiki/BLAKE_(hash_function)#BLAKE2