build: ignore invalid checksums unless --strict (MR 2252)

We can fairly easily patch abuild by appending anything we want to the
APKBUILD file after copying it to the chroot.

Leverage this to override the verify() function so that it doesn't die
when checksums don't match.

Instead let's build the package anyway, but set a flag and print a
warning with instructions on how to generate the checksums.

We should continue to require APKBUILDs in pmaports to have valid
checksums.

Signed-off-by: Caleb Connolly <caleb@postmarketos.org>

pmb/build/_package.py

@@ -314,11 +314,15 @@ def run_abuild(context: Context, apkbuild, channel, arch: Arch, strict=False, fo
         cmd += ["-f"]
 
     # Copy the aport to the chroot and build it
-    pmb.build.copy_to_buildpath(apkbuild["pkgname"], suffix)
+    pmb.build.copy_to_buildpath(apkbuild["pkgname"], suffix, no_override=strict)
     override_source(apkbuild, apkbuild["pkgver"], src, suffix)
     link_to_git_dir(suffix)
     pmb.chroot.user(cmd, suffix, Path("/home/pmos/build"), env=env)
 
+    if (suffix / "tmp/apkbuild_verify_failed").exists():
+        logging.info("WARNING: Some checksums didn't match, run"
+                    f" 'pmbootstrap checksum {apkbuild['pkgname']}' to fix them.")
+
 
 def finish(apkbuild, channel, arch, output: Path, chroot: Chroot, strict=False):
     """Various finishing tasks that need to be done after a build."""

pmb/build/checksum.py

@@ -15,7 +15,7 @@ from pmb.core import Chroot
 def update(pkgname):
     """Fetch all sources and update the checksums in the APKBUILD."""
     pmb.build.init_abuild_minimal()
-    pmb.build.copy_to_buildpath(pkgname)
+    pmb.build.copy_to_buildpath(pkgname, no_override=True)
     logging.info("(native) generate checksums for " + pkgname)
     pmb.chroot.user(["abuild", "checksum"],
                     working_dir=Path("/home/pmos/build"))

pmb/build/other.py

@@ -21,7 +21,7 @@ from pmb.core import Chroot
 from pmb.core.context import get_context
 
 
-def copy_to_buildpath(package, chroot: Chroot=Chroot.native()):
+def copy_to_buildpath(package, chroot: Chroot=Chroot.native(), no_override: bool=False):
     # Sanity check
     aport = pmb.helpers.pmaports.find(package)
     if not os.path.exists(aport / "APKBUILD"):
@@ -44,9 +44,24 @@ def copy_to_buildpath(package, chroot: Chroot=Chroot.native()):
             continue
         pmb.helpers.run.root(["cp", "-rL", aport / file, build / file])
 
+    if not no_override:
+        abuild_overrides(build / "APKBUILD")
+
     pmb.chroot.root(["chown", "-R", "pmos:pmos",
                            "/home/pmos/build"], chroot)
 
+
+def abuild_overrides(apkbuild: Path):
+    """Override some abuild functions by patching the APKBUILD file."""
+
+    if apkbuild.is_relative_to(get_context().config.work / "cache_git"):
+        raise ValueError(f"Refusing to patch file in pmaports repo: {apkbuild}")
+
+    # Patch the APKBUILD file
+    override_path = pmb.config.pmb_src / "pmb/data/abuild_overrides.sh"
+    pmb.helpers.run.root(["sh", "-c", f"cat {override_path} >> {apkbuild}"])
+
+
 class BuildStatus(enum.StrEnum):
     # The binary package is outdated
     OUTDATED = "outdated"

pmb/data/abuild_overrides.sh

@@ -0,0 +1,17 @@
+# shellcheck shell=sh
+# BEGIN PMBOOTSTRAP OVERRIDES
+
+# Patched version of verify() to only warn instead of
+# refusing to build.
+# shellcheck disable=SC2034,SC2154,SC3043
+verify() {
+	rm -f /tmp/apkbuild_verify_failed
+	local verified=false algo=
+	sumcheck "sha512" "$sha512sums" && verified=true
+	if [ -n "$source" ] && ! $verified; then
+		touch /tmp/apkbuild_verify_failed
+	fi
+	return 0
+}
+
+# END PMBOOTSTRAP OVERRIDES