| name | aur-audit |
| description | Audit and validate PKGBUILDs before AUR submission. Covers namcap, shellcheck, chroot testing, and common error fixes. Use when running validation, fixing lint errors, or pre-submission quality checks. |
| license | MIT |
Skill: aur-audit
Purpose
Audit and validate PKGBUILDs before building or submitting to AUR.
Validation Commands
namcap PKGBUILD
namcap *.pkg.tar.zst
shellcheck --shell=bash --exclude=SC2034,SC2154,SC2164 PKGBUILD
makepkg --printsrcinfo > .SRCINFO
makerepropkg *.pkg.tar.zst
PKGBUILD Scanners
Third-party scanners catch malicious or dangerous patterns that namcap misses:
traur — static analyzer for suspicious PKGBUILD content
ks-aur-scanner — KDE-integrated scanner
These are aids, not substitutes for manual review.
Signature Verification
Check whether the PKGBUILD's source=() references a .sig or .asc signature file. If so:
- Look up keys in
validpgpkeys=()
- Import with
gpg --recv-keys <FINGERPRINT>
- Verify with
gpg --verify <source>.sig <source>
Note: signed code can still be malicious — review the content, not just the signature.
Diff Before Building
git show
git difftool @~..@ --tool=vimdiff
Common Errors
| Error | Fix |
|---|
Missing depends | find-libdeps (devtools) or ldd on binaries, then add to PKGBUILD |
Missing makedepends | Add build-time deps (base-devel is assumed) |
sha256sums mismatch | Run updpkgsums |
pkgver has hyphen | Replace with underscore (or quote for upstream use) |
Bad license format | Use SPDX: MIT, GPL-3.0-or-later, BSD-3-Clause, 0BSD |
source URL unreachable | Verify URL; use name::url syntax to rename |
pkgdesc self-referencing | "An editor for X" not "X is an editor for" |
Missing .SRCINFO | makepkg --printsrcinfo > .SRCINFO |
| Missing LICENSE / REUSE.toml | pkgctl license setup then pkgctl license check |
| Path with spaces | Quote "$pkgdir" and "$srcdir" |
/usr/libexec/ use | Move to /usr/lib/$pkgname/ |
Used msg/msg2/error/warning/plain | Replace with printf or echo |
Hash doesn't match a git+... source | Use ?signed#tag=<tag-object-hash> from git rev-parse |
Chroot Testing
pkgctl build
extra-x86_64-build
Catches issues that work on your system but fail in clean environments.
Reproducible Builds
Verify your build is reproducible:
makerepropkg *.pkg.tar.zst
repro -f *.pkg.tar.zst
If timestamps are required at build time, set SOURCE_DATE_EPOCH.
Pre-submission Checklist
Related
aur-pkgbuild — fixing found issues
aur-submission — push after audit passes
aur-rpc — verify metadata (OutOfDate, votes, popularity) before assuming state