Automatically use latest nightly version of Zig

Downloads directly from https://ziglang.org/download GPG verification of downloaded files is not currently possible because Zig nightly binaries aren't signed. See github issue ziglang/zig#4945 for details Using hardcoded sha256 is also impossible because this is an auto-updating package Therefore, there is no security beyonnd the basic integrity of a https:// network connection (although that is still some security, you would have to forge a signed HTTPS certificate to intercept). This commit also changes the versioning scheme to match the upstream downloads (and be compatible with the main zig package) This requires incrementing the "epoch" This change also changes the package to supports multiple architectures (both x86_64 and ARM64)
archlinux · Aug 22, 2022 · 53bd12a · 53bd12a
1 parent afd0dde
commit 53bd12a
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 14 deletions.
diff --git a/.SRCINFO b/.SRCINFO
@@ -1,14 +1,16 @@
 pkgbase = zig-dev-bin
 	pkgdesc = A general-purpose programming language and toolchain for maintaining robust, optimal, and reusable software
-	pkgver = 20220712
+	pkgver = 0.10.0_dev.3475+b3d463c9e
 	pkgrel = 1
+	epoch = 1
 	url = https://ziglang.org/
 	arch = x86_64
+	arch = aarch64
 	license = MIT
+	makedepends = curl
+	makedepends = jq
 	provides = zig
 	conflicts = zig
 	options = !strip
-	source = https://ziglang.org/builds/zig-linux-x86_64-0.10.0-dev.2977+7d2e14267.tar.xz
-	sha256sums = 22faf5006338de0682bb4c62dc0f73e4df5fb837ecaff21570e4ed39dc63b9c1
 
 pkgname = zig-dev-bin
diff --git a/PKGBUILD b/PKGBUILD
@@ -1,26 +1,75 @@
 # Maintainer: Kaizhao Zhang <zhangkaizhao@gmail.com>
-
-_buildver=0.10.0-dev.2977+7d2e14267
+# Contributor: Techcable <$USER @ techcable.net>
 
 pkgname=zig-dev-bin
-pkgver=20220712
+# Old versions of zig-dev-bin used date as pkgver (pkgver=20220712)
+#
+# Now we use something consistent with zig internal versioning.
+# Without changing the epoch, the old version scheme would be considered
+# "newer" greater than the new version scheme
+epoch=1
+# NOTE: Hyphen -> underscore
+pkgver=0.10.0_dev.3475+b3d463c9e
 pkgrel=1
 pkgdesc="A general-purpose programming language and toolchain for maintaining robust, optimal, and reusable software"
-arch=('x86_64')
+arch=('x86_64' 'aarch64')
 url="https://ziglang.org/"
 license=('MIT')
+makedepends=(curl jq)
 options=('!strip')
 provides=('zig')
 conflicts=('zig')
-source=(
-  "https://ziglang.org/builds/zig-linux-x86_64-${_buildver}.tar.xz"
-)
-sha256sums=(
-  '22faf5006338de0682bb4c62dc0f73e4df5fb837ecaff21570e4ed39dc63b9c1'
-)
+# NOTE: We don't include the "real" source until build()
+source=()
+# GPG verification is not currently possible because Zig binaries aren't signed
+# Hardcoded sha256 not possible because this is a an auto-updating (nightly) package
+#
+# Zig Issue for signed binaries: https://github.com/ziglang/zig/issues/4945
+sha256sums=()
+
+pkgver() {
+    local index_file="${srcdir}/zig-version-index.json";
+    # Invalidate old verison-index.json
+    #
+    # If we put version-index in `source` then it would be cached...
+    if [[ -x "$index_file" ]]; then
+        rm "$index_file";
+    fi
+    curl -sS "https://ziglang.org/download/index.json" -o "$index_file"
+    jq -r .master.version "$index_file" | sed 's/-/_/'
+}
+
+prepare() {
+    local newver="$(pkgver)";
+    pushd "${srcdir}" > /dev/null;
+    local index_file="zig-version-index.json";
+    local newurl="$(jq -r ".master.\"${CARCH}-linux\".tarball" $index_file)";
+    local newfile="zig-linux-${CARCH}-${newver}.tar.xz";
+    source+=("${newfile}:${newurl}")
+    local expected_hash="$(jq -r ".master.\"${CARCH}-linux\".shasum" "$index_file")"
+    sha256sums+=("$newhash")
+    if [[ -f "$newfile" ]]; then
+        echo "Reusing existing $newfile";
+    else
+        echo "Downloading Zig $newver from $newurl" >&2;
+        curl -Ss "$newurl" -o "$newfile";
+    fi;
+    echo "" >&2
+    echo "WARNING: No way to GPG/SHA verify the version ahead of time" >&2
+    echo "See Zig issue https://github.com/ziglang/zig/issues/4945 for signed binaries" >&2;
+    echo "" >&2;
+    local actual_hash="$(sha256sum "$newfile" | grep -oE '^\w+')"
+    if [[ "$expected_hash" != "$actual_hash" ]]; then
+        echo "ERROR: Expected hash $expected_hash for $newfile, but got $actual_hash" >&2;
+        exit 1;
+    fi;
+    echo "Extracting file";
+    tar -xf "$newfile";
+    popd > /dev/null;
+}
 
 package() {
-  cd "${srcdir}/zig-linux-x86_64-${_buildver}"
+  cd "${srcdir}/zig-linux-${CARCH}-${pkgver//_/-}"
   install -d "${pkgdir}/usr/bin"
   install -d "${pkgdir}/usr/lib/zig"
   cp -R lib "${pkgdir}/usr/lib/zig/lib"