Verify Arch launcher runtime paths

mdheller · mdheller · commit 488d7b7ed101 · 2026-05-04T19:47:42.000-04:00
diff --git a/packaging/scripts/verify-arch-package.sh b/packaging/scripts/verify-arch-package.sh
@@ -16,6 +16,7 @@ done
 
 pkg="$(TURTLE_TERM_OUT_DIR="$tmp" TURTLE_TERM_VERSION="0.1.0" TURTLE_TERM_ARCH_ARCH="$(uname -m)" \
   "$repo_root/packaging/scripts/build-arch-package.sh")"
+extract="$tmp/extract"
 
 test -f "$pkg"
 test -f "$pkg.sha256"
@@ -47,4 +48,16 @@ if tar --zstd -tf "$pkg" | grep -q '^./usr/bin/wezterm-gui$'; then
   exit 1
 fi
 
+mkdir -p "$extract"
+tar --zstd -C "$extract" -xf "$pkg"
+grep -q 'TURTLE_TERM_RUNTIME_DIR="/usr/libexec/turtle-term"' "$extract/usr/bin/turtleterm"
+grep -q 'TURTLETERM_CONFIG="/etc/turtle-term/turtleterm.lua"' "$extract/usr/bin/turtleterm"
+grep -q 'exec "/usr/libexec/turtle-term/turtleterm"' "$extract/usr/bin/turtleterm"
+grep -q 'TURTLE_TERM_RUNTIME_DIR="/usr/libexec/turtle-term"' "$extract/usr/bin/turtleterm-mux-server"
+grep -q 'exec "/usr/libexec/turtle-term/turtleterm-mux-server"' "$extract/usr/bin/turtleterm-mux-server"
+if grep -R "$tmp\|BUILDROOT\|rpm-root\|arch-root\|deb-root" "$extract/usr/bin/turtleterm" "$extract/usr/bin/turtleterm-mux-server"; then
+  echo 'buildroot path leaked into Arch launch wrappers' >&2
+  exit 1
+fi
+
 echo "verified $pkg"
