shellcheck everything

2022-11-16 13:59:38 +01:00 · 2022-11-16 13:59:38 +01:00 · d442f436de
commit d442f436de
parent 889c02419e
24 changed files with 95 additions and 72 deletions
--- a/coverage.py
+++ b/coverage.py
@ -298,6 +298,21 @@ def main():
                line = line.replace("{{ FORMAT }}", fmt)
                line = line.replace("{{ HOSTARCH }}", hostarch)
                fout.write(line)
        # ignore:
        # SC2016 Expressions don't expand in single quotes, use double quotes for that.
        # SC2050 This expression is constant. Did you forget the $ on a variable?
        # SC2194 This word is constant. Did you forget the $ on a variable?
        shellcheck = subprocess.run(
            [
                "shellcheck",
                "--exclude=SC2050,SC2194,SC2016",
                "-f",
                "gcc",
                "shared/test.sh",
            ],
            check=False,
            stdout=subprocess.PIPE,
        ).stdout.decode()
        argv = None
        match test:
            case "qemu":
@ -336,7 +351,9 @@ def main():
            proc.wait()
            break
        print(separator, file=sys.stderr)
-        if proc.returncode != 0:
+        if proc.returncode != 0 or shellcheck != "":
            if shellcheck != "":
                print(shellcheck)
            failed.append(
                format_failed(
                    i + 1, len(tests), name, dist, mode, variant, fmt, config_dict
--- a/coverage.sh
+++ b/coverage.sh
@ -14,7 +14,7 @@ if [ -e ./mmdebstrap ]; then
 	fi
 	rm "$TMPFILE"
-	if [ $(sed -e '/^__END__$/,$d' ./mmdebstrap | wc --max-line-length) -gt 79 ]; then
+	if [ "$(sed -e '/^__END__$/,$d' ./mmdebstrap | wc --max-line-length)" -gt 79 ]; then
 		echo "exceeded maximum line length of 79 characters" >&2
 		exit 1
 	fi
@ -25,6 +25,8 @@ fi
 [ -e ./tarfilter ] && black --check ./tarfilter
 [ -e ./coverage.py ] && black --check ./coverage.py
 shellcheck --exclude=SC2016 coverage.sh make_mirror.sh run_null.sh run_qemu.sh gpgvnoexpkeysig hooks/*/*.sh
 mirrordir="./shared/cache/debian"
 if [ ! -e "$mirrordir" ]; then
@ -75,11 +77,6 @@ export LC_ALL=C.UTF-8
 : "${HAVE_PROOT:=yes}"
 : "${HAVE_BINFMT:=yes}"
 defaultmode="auto"
 if [ "$HAVE_UNSHARE" != "yes" ]; then
 	defaultmode="root"
 fi
 # by default, use the mmdebstrap executable in the current directory together
 # with perl Devel::Cover but allow to overwrite this
 : "${CMD:=perl -MDevel::Cover=-silent,-nogcov ./mmdebstrap}"
@ -103,14 +100,14 @@ cover -delete cover_db >&2
 END
 	if [ "$HAVE_QEMU" = "yes" ]; then
 		./run_qemu.sh
-	elif [ "$mode" = "root" ]; then
+	elif [ "$HAVE_UNSHARE" != "yes" ]; then
 		./run_null.sh SUDO
 	else
 		./run_null.sh
 	fi
 	echo
-	echo open file://$(pwd)/shared/report/coverage.html in a browser
+	echo "open file://$(pwd)/shared/report/coverage.html in a browser"
 	echo
 fi
--- a/hooks/eatmydata/customize.sh
+++ b/hooks/eatmydata/customize.sh
@ -13,7 +13,7 @@ if [ -e "$rootdir/var/lib/dpkg/arch" ]; then
 else
 	chrootarch=$(dpkg --print-architecture)
 fi
-libdir="/usr/lib/$(dpkg-architecture -a $chrootarch -q DEB_HOST_MULTIARCH)"
+libdir="/usr/lib/$(dpkg-architecture -a "$chrootarch" -q DEB_HOST_MULTIARCH)"
 # if eatmydata was actually installed properly, then we are not removing
 # anything here
--- a/hooks/eatmydata/extract.sh
+++ b/hooks/eatmydata/extract.sh
@ -14,8 +14,10 @@ else
 	chrootarch=$(dpkg --print-architecture)
 fi
-eval $(apt-config shell trusted Dir::Etc::trusted/f)
+trusted=
-eval $(apt-config shell trustedparts Dir::Etc::trustedparts/d)
+eval "$(apt-config shell trusted Dir::Etc::trusted/f)"
 trustedparts=
 eval "$(apt-config shell trustedparts Dir::Etc::trustedparts/d)"
 tmpfile=$(mktemp --tmpdir="$rootdir/tmp")
 cat << END > "$tmpfile"
 Apt::Architecture "$chrootarch";
@ -30,7 +32,7 @@ END
 tmpdir=$(mktemp --directory --tmpdir="$rootdir/tmp")
 env --chdir="$tmpdir" APT_CONFIG="$tmpfile" apt-get download --print-uris eatmydata libeatmydata1 \
 	| sed -ne "s/^'\([^']\+\)'\s\+\(\S\+\)\s\+\([0-9]\+\)\s\+\(SHA256:[a-f0-9]\+\)$/\1 \2 \3 \4/p" \
-	| while read uri fname size hash; do
+	| while read -r uri fname size hash; do
 		echo "processing $fname" >&2
 		if [ -e "$tmpdir/$fname" ]; then
 			echo "$tmpdir/$fname already exists" >&2
@ -45,7 +47,7 @@ env --chdir="$tmpdir" APT_CONFIG="$tmpfile" apt-get download --print-uris eatmyd
 					| tar --directory="$rootdir/usr/bin" --strip-components=3 --extract --verbose ./usr/bin/eatmydata
 				;;
 			libeatmydata1_*_$chrootarch.deb)
-				libdir="/usr/lib/$(dpkg-architecture -a $chrootarch -q DEB_HOST_MULTIARCH)"
+				libdir="/usr/lib/$(dpkg-architecture -a "$chrootarch" -q DEB_HOST_MULTIARCH)"
 				mkdir -p "$rootdir$libdir"
 				dpkg-deb --fsys-tarfile "$tmpdir/$fname" \
 					| tar --directory="$rootdir$libdir" --strip-components=4 --extract --verbose --wildcards ".$libdir/libeatmydata.so*"
--- a/hooks/file-mirror-automount/customize00.sh
+++ b/hooks/file-mirror-automount/customize00.sh
@ -1,4 +1,6 @@
 #!/bin/sh
 #
 # shellcheck disable=SC2086
 set -eu
@ -21,17 +23,17 @@ case $MMDEBSTRAP_MODE in
 		echo "removing the following directories:" >&2 ;;
 esac
-cat "$rootdir/run/mmdebstrap/file-mirror-automount" \
+< "$rootdir/run/mmdebstrap/file-mirror-automount" \
-	| xargs $xargsopts echo "    $rootdir/{}"
+	xargs $xargsopts echo "    $rootdir/{}"
 case $MMDEBSTRAP_MODE in
 	root|unshare)
-		cat "$rootdir/run/mmdebstrap/file-mirror-automount" \
+		< "$rootdir/run/mmdebstrap/file-mirror-automount" \
-			| xargs $xargsopts umount "$rootdir/{}"
+			xargs $xargsopts umount "$rootdir/{}"
 		;;
 	*)
-		cat "$rootdir/run/mmdebstrap/file-mirror-automount" \
+		< "$rootdir/run/mmdebstrap/file-mirror-automount" \
-			| xargs $xargsopts rm -r "$rootdir/{}"
+			xargs $xargsopts rm -r "$rootdir/{}"
 		;;
 esac
--- a/hooks/file-mirror-automount/setup00.sh
+++ b/hooks/file-mirror-automount/setup00.sh
@ -9,10 +9,10 @@ fi
 rootdir="$1"
 # process all configured apt repositories
-env APT_CONFIG=$MMDEBSTRAP_APT_CONFIG apt-get indextargets --no-release-info --format '$(REPO_URI)' \
+env APT_CONFIG="$MMDEBSTRAP_APT_CONFIG" apt-get indextargets --no-release-info --format '$(REPO_URI)' \
 	| sed -ne 's/^file:\/\+//p' \
 	| sort -u \
-	| while read path; do
+	| while read -r path; do
 		mkdir -p "$rootdir/run/mmdebstrap"
 		case $MMDEBSTRAP_MODE in
 			root|unshare)
@ -22,8 +22,8 @@ env APT_CONFIG=$MMDEBSTRAP_APT_CONFIG apt-get indextargets --no-release-info --f
 				;;
 			*)
 				echo "copying /$path into the chroot" >&2
-				mkdir -p "$rootdir/$(dirname $path)"
+				mkdir -p "$rootdir/$(dirname "$path")"
-				cp -av "/$path" "$rootdir/$(dirname $path)"
+				cp -av "/$path" "$rootdir/$(dirname "$path")"
 				;;
 		esac
 		printf '/%s\0' "$path" >> "$rootdir/run/mmdebstrap/file-mirror-automount"
--- a/hooks/merged-usr/setup00.sh
+++ b/hooks/merged-usr/setup00.sh
@ -51,8 +51,10 @@ ARCH=$(dpkg --print-architecture)
 eval "$(APT_CONFIG="$MMDEBSTRAP_APT_CONFIG" apt-config shell ARCH Apt::Architecture)"
 if [ -e /usr/share/debootstrap/functions ]; then
 	# shellcheck disable=SC1091
 	. /usr/share/debootstrap/functions
-	doing_variant () { [ $1 != "buildd" ]; }
+	doing_variant () { [ "$1" != "buildd" ]; }
 	# shellcheck disable=SC2034
 	MERGED_USR="yes"
 	setup_merged_usr
 else
--- a/make_mirror.sh
+++ b/make_mirror.sh
@ -58,11 +58,9 @@ deletecache() {
 				;;
 		esac
 	done
-	if [ -e $dir/debian-*.qcow ]; then
+	for f in "$dir/debian-"*.qcow; do
-		rm --one-file-system "$dir"/debian-*.qcow
+		rm --one-file-system "$f"
-	else
+	done
 		echo "does not exist: $dir/debian-*.qcow" >&2
 	fi
 	if [ -e "$dir/debian/pool/main" ]; then
 		rm --one-file-system --recursive "$dir/debian/pool/main"
 	else
@ -103,7 +101,7 @@ get_oldaptnames() {
 	xz -dc "$1/$2" \
 		| grep-dctrl --no-field-names --show-field=Package,Version,Architecture,Filename '' \
 		| paste -sd "    \n" \
-		| while read name ver arch fname; do
+		| while read -r name ver arch fname; do
 			if [ ! -e "$1/$fname" ]; then
 				continue
 			fi
@ -131,7 +129,7 @@ get_newaptnames() {
 	xz -dc "$1/$2" \
 		| grep-dctrl --no-field-names --show-field=Package,Version,Architecture,Filename,SHA256 '' \
 		| paste -sd "     \n" \
-		| while read name ver arch fname hash; do
+		| while read -r name ver arch fname hash; do
 			# sanity check for the hash because sometimes the
 			# archive switches the hash algorithm
 			if [ "${#hash}" -ne 64 ]; then
@ -150,7 +148,7 @@ get_newaptnames() {
 				# since we move hardlinks around, the same hardlink might've been
 				# moved already into the same place by another distribution.
 				# mv(1) refuses to copy A to B if both are hardlinks of each other.
-				if [ "$aptname" -ef "$1/$fname" ]; then
+				if [ -e "$aptname" ] && [ -e "$1/$fname" ] && [ "$(stat -c "%d %i" "$aptname")" = "$(stat -c "%d %i" "$1/$fname")" ]; then
 					# both files are already the same so we just need to
 					# delete the source
 					rm "$aptname"
@ -232,7 +230,7 @@ Acquire::https::Dl-Limit "1000";
 Acquire::Retries "5";
 END
-	> "$rootdir/var/lib/dpkg/status"
+	: > "$rootdir/var/lib/dpkg/status"
 	APT_CONFIG="$rootdir/etc/apt/apt.conf" apt-get update
@ -264,7 +262,7 @@ END
 			--or --field=Priority important --or --field=Priority standard \
 			\))
-	pkgs="$(echo $pkgs) build-essential busybox gpg eatmydata"
+	pkgs="$pkgs build-essential busybox gpg eatmydata"
 	# we need usr-is-merged to simulate debootstrap behaviour for all dists
 	# starting from Debian 12 (Bullseye)
@ -273,6 +271,7 @@ END
 		*) pkgs="$pkgs usr-is-merged usrmerge" ;;
 	esac
 	# shellcheck disable=SC2086
 	APT_CONFIG="$rootdir/etc/apt/apt.conf" apt-get --yes install $pkgs
 	# to be able to also test gpg verification, we need to create a mirror
@ -336,7 +335,7 @@ END
 	# new one anymore
 	comm -23 "$rootdir/oldaptnames" "$rootdir/newaptnames" | xargs --delimiter="\n" --no-run-if-empty rm
 	# now the apt cache should be empty
-	if [ ! -z "$(ls -1qA "$rootdir/var/cache/apt/archives/")" ]; then
+	if [ -n "$(ls -1qA "$rootdir/var/cache/apt/archives/")" ]; then
 		echo "$rootdir/var/cache/apt/archives not empty:"
 		ls -la "$rootdir/var/cache/apt/archives/"
 		exit 1
@ -420,7 +419,7 @@ fi
 for nativearch in $arches; do
 	for dist in oldstable stable testing unstable; do
 		# non-host architectures are only downloaded for $DEFAULT_DIST
-		if [ $nativearch != $HOSTARCH ] && [ $DEFAULT_DIST != $dist ]; then
+		if [ "$nativearch" != "$HOSTARCH" ] && [ "$DEFAULT_DIST" != "$dist" ]; then
 			continue
 		fi
 		# we need a first pass without updates and security patches
@ -478,7 +477,8 @@ cleanuptmpdir() {
 	rmdir "$tmpdir"
 }
-export SOURCE_DATE_EPOCH=$(date --date="$(grep-dctrl -s Date -n '' "$newmirrordir/dists/$DEFAULT_DIST/Release")" +%s)
+SOURCE_DATE_EPOCH="$(date --date="$(grep-dctrl -s Date -n '' "$newmirrordir/dists/$DEFAULT_DIST/Release")" +%s)"
 export SOURCE_DATE_EPOCH
 if [ "$HAVE_QEMU" = "yes" ]; then
 	case "$HOSTARCH" in
@ -532,7 +532,7 @@ if [ "$HAVE_QEMU" = "yes" ]; then
 	else
 		arches=$HOSTARCH
 	fi
-	$CMD --variant=apt --architectures=$arches --include="$pkgs" \
+	$CMD --variant=apt --architectures="$arches" --include="$pkgs" \
 		--aptopt='Acquire::http::Dl-Limit "1000"' \
 		--aptopt='Acquire::https::Dl-Limit "1000"' \
 		--aptopt='Acquire::Retries "5"' \
--- a/tests/as-debootstrap-unshare-wrapper
+++ b/tests/as-debootstrap-unshare-wrapper
@ -74,8 +74,8 @@ for d in ./var/lib/apt/lists/partial ./var/cache/apt/archives/partial; do
 	chroot /tmp/debian-debootstrap chmod 0700 $d
 	chroot /tmp/debian-debootstrap chown _apt:root $d
 done
-tar -C /tmp/debian-debootstrap --numeric-owner --xattrs --xattrs-include='*' --sort=name --clamp-mtime --mtime=$(date --utc --date=@{{ SOURCE_DATE_EPOCH }} --iso-8601=seconds) -cf /tmp/root1.tar .
+tar -C /tmp/debian-debootstrap --numeric-owner --xattrs --xattrs-include='*' --sort=name --clamp-mtime --mtime="$(date --utc --date=@{{ SOURCE_DATE_EPOCH }} --iso-8601=seconds)" -cf /tmp/root1.tar .
-tar -C /tmp/debian-mm --numeric-owner --xattrs --xattrs-include='*' --sort=name --clamp-mtime --mtime=$(date --utc --date=@{{ SOURCE_DATE_EPOCH }} --iso-8601=seconds) -cf /tmp/root2.tar .
+tar -C /tmp/debian-mm --numeric-owner --xattrs --xattrs-include='*' --sort=name --clamp-mtime --mtime="$(date --utc --date=@{{ SOURCE_DATE_EPOCH }} --iso-8601=seconds)" -cf /tmp/root2.tar .
 tar --full-time --verbose -tf /tmp/root1.tar > /tmp/root1.tar.list
 tar --full-time --verbose -tf /tmp/root2.tar > /tmp/root2.tar.list
 # despite SOURCE_DATE_EPOCH and --clamp-mtime, the timestamps in the tarball
--- a/tests/ascii-armored-keys
+++ b/tests/ascii-armored-keys
@ -7,9 +7,9 @@ if [ ! -e /mmdebstrap-testenv ]; then
 fi
 for f in /usr/share/keyrings/*.gpg; do
 	name=$(basename "$f" .gpg)
-	gpg --enarmor < /usr/share/keyrings/$name.gpg \
+	gpg --enarmor < "/usr/share/keyrings/$name.gpg" \
 		| sed 's/ PGP ARMORED FILE/ PGP PUBLIC KEY BLOCK/;/^Comment: /d' \
-		> /etc/apt/trusted.gpg.d/$name.asc
+		> "/etc/apt/trusted.gpg.d/$name.asc"
 done
 rm /etc/apt/trusted.gpg.d/*.gpg
 rm /usr/share/keyrings/*.gpg
--- a/tests/aspcud-apt-solver
+++ b/tests/aspcud-apt-solver
@ -3,7 +3,7 @@ set -eu
 export LC_ALL=C.UTF-8
 trap "rm -f /tmp/debian-chroot.tar" EXIT INT TERM
 {{ CMD }} --mode={{ MODE }} --variant=custom \
-    --include $(cat pkglist.txt | tr '\n' ',') \
+    --include "$(tr '\n' ',' < pkglist.txt)" \
    --aptopt='APT::Solver "aspcud"' \
    {{ DIST }} /tmp/debian-chroot.tar {{ MIRROR }}
 tar -tf /tmp/debian-chroot.tar | sort \
--- a/tests/check-against-debootstrap-dist
+++ b/tests/check-against-debootstrap-dist
@ -12,7 +12,7 @@ echo "SOURCE_DATE_EPOCH=$SOURCE_DATE_EPOCH"
 # we cannot use useradd because passwd is not Essential:yes
 {{ CMD }} --variant={{ VARIANT }} --mode={{ MODE }} \
 	--essential-hook='case {{ DIST }} in oldstable|stable) if [ {{ VARIANT }} = - ]; then echo _apt:*:100:65534::/nonexistent:/usr/sbin/nologin >> "$1"/etc/passwd; fi;; esac' \
-	$(case {{ DIST }} in oldstable|stable) : ;; *) echo --hook-dir=./hooks/merged-usr ;; esac) \
+	"$(case {{ DIST }} in oldstable|stable) echo --merged-usr ;; *) echo --hook-dir=./hooks/merged-usr ;; esac)" \
 	{{ DIST }} /tmp/debian-{{ DIST }}-mm.tar {{ MIRROR }}
 mkdir /tmp/debian-{{ DIST }}-mm
@ -160,8 +160,8 @@ fi
 for log in faillog lastlog; do
 	if ! cmp /tmp/debian-{{ DIST }}-debootstrap/var/log/$log /tmp/debian-{{ DIST }}-mm/var/log/$log >&2;then
 		# if the files differ, make sure they are all zeroes
-		cmp -n $(stat -c %s /tmp/debian-{{ DIST }}-debootstrap/var/log/$log) /tmp/debian-{{ DIST }}-debootstrap/var/log/$log /dev/zero >&2
+		cmp -n "$(stat -c %s "/tmp/debian-{{ DIST }}-debootstrap/var/log/$log")" "/tmp/debian-{{ DIST }}-debootstrap/var/log/$log" /dev/zero >&2
-		cmp -n $(stat -c %s /tmp/debian-{{ DIST }}-mm/var/log/$log) /tmp/debian-{{ DIST }}-mm/var/log/$log /dev/zero >&2
+		cmp -n "$(stat -c %s "/tmp/debian-{{ DIST }}-mm/var/log/$log")" "/tmp/debian-{{ DIST }}-mm/var/log/$log" /dev/zero >&2
 		# then delete them
 		rm /tmp/debian-{{ DIST }}-debootstrap/var/log/$log /tmp/debian-{{ DIST }}-mm/var/log/$log
 	fi
@ -172,7 +172,7 @@ done
 if [ "{{ VARIANT }}" = "-" ]; then
 	case {{ DIST }} in testing|unstable)
 		for f in group group- gshadow gshadow-; do
-			! cmp /tmp/debian-{{ DIST }}-mm/etc/$f /tmp/debian-{{ DIST }}-debootstrap/etc/$f 2>/dev/null
+			cmp /tmp/debian-{{ DIST }}-mm/etc/$f /tmp/debian-{{ DIST }}-debootstrap/etc/$f 2>/dev/null && exit 1
 			for d in mm debootstrap; do
 				sort /tmp/debian-{{ DIST }}-$d/etc/$f > /tmp/debian-{{ DIST }}-$d/etc/$f.bak
 				mv /tmp/debian-{{ DIST }}-$d/etc/$f.bak /tmp/debian-{{ DIST }}-$d/etc/$f
@ -208,10 +208,10 @@ find /tmp/debian-{{ DIST }}-debootstrap /tmp/debian-{{ DIST }}-mm -type d -print
 # debootstrap never ran apt -- fixing permissions
 for d in ./var/lib/apt/lists/partial ./var/cache/apt/archives/partial; do
 	chroot /tmp/debian-{{ DIST }}-debootstrap chmod 0700 $d
-	chroot /tmp/debian-{{ DIST }}-debootstrap chown $(id -u _apt):root $d
+	chroot /tmp/debian-{{ DIST }}-debootstrap chown "$(id -u _apt):root" $d
 done
-tar -C /tmp/debian-{{ DIST }}-debootstrap --numeric-owner --sort=name --clamp-mtime --mtime=$(date --utc --date=@{{ SOURCE_DATE_EPOCH }} --iso-8601=seconds) -cf /tmp/root1.tar .
+tar -C /tmp/debian-{{ DIST }}-debootstrap --numeric-owner --sort=name --clamp-mtime --mtime="$(date --utc --date=@{{ SOURCE_DATE_EPOCH }} --iso-8601=seconds)" -cf /tmp/root1.tar .
-tar -C /tmp/debian-{{ DIST }}-mm --numeric-owner --sort=name --clamp-mtime --mtime=$(date --utc --date=@{{ SOURCE_DATE_EPOCH }} --iso-8601=seconds) -cf /tmp/root2.tar .
+tar -C /tmp/debian-{{ DIST }}-mm --numeric-owner --sort=name --clamp-mtime --mtime="$(date --utc --date=@{{ SOURCE_DATE_EPOCH }} --iso-8601=seconds)" -cf /tmp/root2.tar .
 tar --full-time --verbose -tf /tmp/root1.tar > /tmp/root1.tar.list
 tar --full-time --verbose -tf /tmp/root2.tar > /tmp/root2.tar.list
 diff -u /tmp/root1.tar.list /tmp/root2.tar.list >&2
--- a/tests/chrootless-foreign
+++ b/tests/chrootless-foreign
@ -20,7 +20,7 @@ for INCLUDE in '' 'systemd-sysv'; do
 		--hook-dir=./hooks/merged-usr ${INCLUDE:+--include="$INCLUDE"} \
 		{{ DIST }} "/tmp/root.tar" {{ MIRROR }}
 	echo 0 > /proc/sys/fs/binfmt_misc/qemu-aarch64
-	! arch-test arm64
+	arch-test arm64 && exit 1
 	{{ CMD }} --mode=chrootless --architecture=arm64 --variant={{ VARIANT }} \
 		--hook-dir=./hooks/merged-usr ${INCLUDE:+--include="$INCLUDE"} \
 		{{ DIST }} "/tmp/chrootless.tar" {{ MIRROR }}
--- a/tests/compare-output-with-pre-seeded-var-cache-apt-archives
+++ b/tests/compare-output-with-pre-seeded-var-cache-apt-archives
@ -11,7 +11,7 @@ if [ ! -e /mmdebstrap-testenv ]; then
 	exit 1
 fi
 tmpdir=$(mktemp -d)
-trap "rm -f \"$tmpdir\"/*.deb /tmp/orig.tar /tmp/test1.tar /tmp/test2.tar; rmdir \"$tmpdir\"" EXIT INT TERM
+trap 'rm -f "$tmpdir"/*.deb /tmp/orig.tar /tmp/test1.tar /tmp/test2.tar; rmdir "$tmpdir"' EXIT INT TERM
 include="--include=doc-debian"
 if [ "{{ VARIANT }}" = "custom" ]; then
--- a/tests/create-arm64-tarball
+++ b/tests/create-arm64-tarball
@ -42,8 +42,8 @@ $prefix {{ CMD }} --mode={{ MODE }} --variant=apt --architectures=arm64 {{ DIST
 	| sed 's/aarch64-linux-gnu/x86_64-linux-gnu/' \
 	| sed 's/arm64/amd64/';
 } | sort > tar2.txt
-{ cat tar1.txt \
+{ < tar1.txt \
-	| grep -v '^\./usr/bin/i386$' \
+	grep -v '^\./usr/bin/i386$' \
 	| grep -v '^\./usr/bin/x86_64$' \
 	| grep -v '^\./lib32$' \
 	| grep -v '^\./lib64$' \
--- a/tests/create-tarball-dry-run
+++ b/tests/create-tarball-dry-run
@ -6,7 +6,7 @@
 set -eu
 export LC_ALL=C.UTF-8
 prefix=
-include=
+include=,
 if [ "$(id -u)" -eq 0 ] && [ "{{ MODE }}" != root ] && [ "{{ MODE }}" != auto ]; then
 	# this must be qemu
 	if ! id -u user >/dev/null 2>&1; then
@ -25,10 +25,10 @@ if [ "$(id -u)" -eq 0 ] && [ "{{ MODE }}" != root ] && [ "{{ MODE }}" != auto ];
 	fi
 	prefix="runuser -u user --"
 	if [ "{{ MODE }}" = extract ] || [ "{{ MODE }}" = custom ]; then
-		include="--include=$(cat pkglist.txt | tr '\n' ',')"
+		include="$(tr '\n' ',' < pkglist.txt)"
 	fi
 fi
-$prefix {{ CMD }} --mode={{ MODE }} $include --dry-run --variant={{ VARIANT }} {{ DIST }} /tmp/debian-chroot.tar {{ MIRROR }}
+$prefix {{ CMD }} --mode={{ MODE }} --include="$include" --dry-run --variant={{ VARIANT }} {{ DIST }} /tmp/debian-chroot.tar {{ MIRROR }}
 if [ -e /tmp/debian-chroot.tar ]; then
 	echo "/tmp/debian-chroot.tar must not be created with --dry-run" >&2
 	exit 1
--- a/tests/dist-using-codename
+++ b/tests/dist-using-codename
@ -7,5 +7,5 @@ export LC_ALL=C.UTF-8
 trap "rm -f Release; rm -rf /tmp/debian-chroot" EXIT INT TERM
 /usr/lib/apt/apt-helper download-file "{{ MIRROR }}/dists/{{ DIST }}/Release" Release
 codename=$(awk '/^Codename: / { print $2; }' Release)
-{{ CMD }} --mode={{ MODE }} --variant=apt $codename /tmp/debian-chroot {{ MIRROR }}
+{{ CMD }} --mode={{ MODE }} --variant=apt "$codename" /tmp/debian-chroot {{ MIRROR }}
 echo "deb {{ MIRROR }} $codename main" | diff -u - /tmp/debian-chroot/etc/apt/sources.list
--- a/tests/i386-which-can-be-executed-without-qemu
+++ b/tests/i386-which-can-be-executed-without-qemu
@ -22,8 +22,8 @@ apt-get remove --yes qemu-user-static binfmt-support qemu-user
 	| sed 's/i386/amd64/' \
 	| sed 's/\/stubs-32.ph$/\/stubs-64.ph/';
 } | sort > tar2.txt
-{ cat tar1.txt \
+{ < tar1.txt \
-	| grep -v '^\./usr/bin/i386$' \
+	grep -v '^\./usr/bin/i386$' \
 	| grep -v '^\./usr/bin/x86_64$' \
 	| grep -v '^\./usr/lib32/$' \
 	| grep -v '^\./lib32$' \
--- a/tests/install-busybox-based-sub-essential-system
+++ b/tests/install-busybox-based-sub-essential-system
@ -21,13 +21,14 @@ for cmd in echo cat sed grep; do
 	test -L /tmp/debian-chroot/bin/$cmd
 	test "$(readlink /tmp/debian-chroot/bin/$cmd)" = "/bin/busybox"
 done
-for cmd in sort; do
+for cmd in sort tee; do
 	test -L /tmp/debian-chroot/usr/bin/$cmd
 	test "$(readlink /tmp/debian-chroot/usr/bin/$cmd)" = "/bin/busybox"
 done
 chroot /tmp/debian-chroot echo foobar \
 	| chroot /tmp/debian-chroot cat \
 	| chroot /tmp/debian-chroot sort \
 	| chroot /tmp/debian-chroot tee /dev/null \
 	| chroot /tmp/debian-chroot sed 's/foobar/blubber/' \
 	| chroot /tmp/debian-chroot grep blubber >/dev/null
 rm -r /tmp/debian-chroot
--- a/tests/install-doc-debian
+++ b/tests/install-doc-debian
@ -11,7 +11,7 @@ fi
 prefix=
 [ "$(id -u)" -eq 0 ] && prefix="runuser -u user --"
 $prefix {{ CMD }} --mode=chrootless --variant=custom --include=doc-debian {{ DIST }} /tmp/debian-chroot {{ MIRROR }}
-tar -C /tmp/debian-chroot --owner=0 --group=0 --numeric-owner --sort=name --clamp-mtime --mtime=$(date --utc --date=@{{ SOURCE_DATE_EPOCH }} --iso-8601=seconds) -cf /tmp/debian-chroot.tar .
+tar -C /tmp/debian-chroot --owner=0 --group=0 --numeric-owner --sort=name --clamp-mtime --mtime="$(date --utc --date=@{{ SOURCE_DATE_EPOCH }} --iso-8601=seconds)" -cf /tmp/debian-chroot.tar .
 tar tvf /tmp/debian-chroot.tar > doc-debian.tar.list
 rm /tmp/debian-chroot.tar
 # delete contents of doc-debian
--- a/tests/install-doc-debian-and-test-hooks
+++ b/tests/install-doc-debian-and-test-hooks
@ -14,7 +14,7 @@ prefix=
 $prefix {{ CMD }} --mode=chrootless --skip=cleanup/tmp --variant=custom --include=doc-debian --setup-hook='touch "$1/tmp/setup"' --customize-hook='touch "$1/tmp/customize"' {{ DIST }} /tmp/debian-chroot {{ MIRROR }}
 rm /tmp/debian-chroot/tmp/setup
 rm /tmp/debian-chroot/tmp/customize
-tar -C /tmp/debian-chroot --owner=0 --group=0 --numeric-owner --sort=name --clamp-mtime --mtime=$(date --utc --date=@{{ SOURCE_DATE_EPOCH }} --iso-8601=seconds) -cf /tmp/debian-chroot.tar .
+tar -C /tmp/debian-chroot --owner=0 --group=0 --numeric-owner --sort=name --clamp-mtime --mtime="$(date --utc --date=@{{ SOURCE_DATE_EPOCH }} --iso-8601=seconds)" -cf /tmp/debian-chroot.tar .
 tar tvf /tmp/debian-chroot.tar | grep -v ' ./dev' | diff -u doc-debian.tar.list -
 rm /tmp/debian-chroot.tar
 # delete contents of doc-debian
--- a/tests/sigint-during-customize-hook
+++ b/tests/sigint-during-customize-hook
@ -1,12 +1,13 @@
 #!/bin/sh
 set -eu
 export LC_ALL=C.UTF-8
-setsid --wait {{ CMD }} --mode=root --variant=apt --customize-hook='touch done && sleep 10 && touch fail' {{ DIST }} /tmp/debian-chroot {{ MIRROR }} &
+setsid --wait {{ CMD }} --mode=root --variant=apt --customize-hook='touch hookstarted && sleep 10 && touch fail' {{ DIST }} /tmp/debian-chroot {{ MIRROR }} &
 pid=$!
-while sleep 1; do [ -e done ] && break; done
+while sleep 1; do [ -e hookstarted ] && break; done
-rm done
+rm hookstarted
-pgid=$(echo $(ps -p $pid -o pgid=))
+# negative PID values choose the whole process group
-/bin/kill --signal INT -- -$pgid
+pgid=$((-1*$(ps -p "$pid" -o pgid=)))
 /bin/kill --signal INT -- "$pgid"
 ret=0
 wait $pid || ret=$?
 rm -r /tmp/debian-chroot
--- a/tests/special-hooks-using-helpers
+++ b/tests/special-hooks-using-helpers
@ -7,9 +7,10 @@ ln -s /real /tmp/root/link
 mkdir /tmp/root/real
 run_testA() {
  echo content > /tmp/foo
-  { { { {{ CMD }} --hook-helper /tmp/root root setup env 1 upload /tmp/foo $1 < /tmp/myfifo 3>&-; echo $? >&3; printf "\\000\\000adios";
+  # shellcheck disable=SC2094
  { { { {{ CMD }} --hook-helper /tmp/root root setup env 1 upload /tmp/foo "$1" < /tmp/myfifo 3>&-; echo $? >&3; printf "\\000\\000adios";
      } | {{ CMD }} --hook-listener 1 3>&- >/tmp/myfifo; echo $?; } 3>&1;
-  } | { read xs1; [ "$xs1" -eq 0 ]; read xs2; [ "$xs2" -eq 0 ]; }
+  } | { read -r xs1; [ "$xs1" -eq 0 ]; read -r xs2; [ "$xs2" -eq 0 ]; }
  echo content | diff -u - /tmp/root/real/foo
  rm /tmp/foo
  rm /tmp/root/real/foo
--- a/tests/version
+++ b/tests/version
@ -3,4 +3,4 @@ set -eu
 export LC_ALL=C.UTF-8
 # we redirect to /dev/null instead of using --quiet to not cause a broken pipe
 # when grep exits before mmdebstrap was able to write all its output
-{{ CMD }} --version | egrep '^mmdebstrap [0-9](\.[0-9])+$' >/dev/null
+{{ CMD }} --version | grep -E '^mmdebstrap [0-9](\.[0-9])+$' >/dev/null