Forrest logo
back to the makepkg tool

makepkg:tldr:ae599

makepkg: Verify the hashes of the sources.
$ makepkg --verifysource
try on your machine

The command "makepkg --verifysource" is used in Arch Linux to verify the integrity of source files before building a package.

When creating a package in Arch Linux, the package build process usually involves downloading source files from external sources. The "makepkg --verifysource" command ensures that the downloaded source files have not been tampered with and are still in their original state. It checks the validity of the source files by comparing their cryptographic hash or signature with the expected values provided by the package maintainer.

Here's how the command works:

  1. The "makepkg" utility is a standard Arch build tool used to create packages from PKGBUILD scripts.
  2. The "--verifysource" option is passed to "makepkg" to trigger the specific verification functionality.
  3. When the command is executed, "makepkg" reads the PKGBUILD script to determine which source files need to be verified.
  4. It compares the cryptographic hash, typically an MD5 or SHA256 sum, or a digital signature stored in the PKGBUILD file with the respective hash or signature of the downloaded source files.
  5. If the verification fails and the source files do not match the expected values, the command will display an error message, indicating that the source files may have been modified or compromised.
  6. Conversely, if the verification passes, the command will indicate that the source files are valid and ready for package building.

By verifying the source files, the "makepkg --verifysource" command helps ensure the integrity and security of the packages built in Arch Linux, providing users with confidence in the software they install.

This explanation was created by an AI. In most cases those are correct. But please always be careful and never run a command you are not sure if it is safe.
back to the makepkg tool