2021-04-06 00:59:11 +02:00
|
|
|
#!/usr/bin/env bash
|
|
|
|
export LC_ALL=C
|
|
|
|
set -e -o pipefail
|
|
|
|
|
|
|
|
# shellcheck source=../../shell/realpath.bash
|
|
|
|
source contrib/shell/realpath.bash
|
|
|
|
|
|
|
|
# shellcheck source=../../shell/git-utils.bash
|
|
|
|
source contrib/shell/git-utils.bash
|
|
|
|
|
|
|
|
################
|
2021-04-08 02:15:27 +02:00
|
|
|
# Required non-builtin commands should be invocable
|
2021-04-06 00:59:11 +02:00
|
|
|
################
|
|
|
|
|
|
|
|
check_tools() {
|
|
|
|
for cmd in "$@"; do
|
|
|
|
if ! command -v "$cmd" > /dev/null 2>&1; then
|
|
|
|
echo "ERR: This script requires that '$cmd' is installed and available in your \$PATH"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
}
|
|
|
|
|
|
|
|
check_tools cat env readlink dirname basename git
|
|
|
|
|
|
|
|
################
|
|
|
|
# We should be at the top directory of the repository
|
|
|
|
################
|
|
|
|
|
|
|
|
same_dir() {
|
|
|
|
local resolved1 resolved2
|
|
|
|
resolved1="$(bash_realpath "${1}")"
|
|
|
|
resolved2="$(bash_realpath "${2}")"
|
|
|
|
[ "$resolved1" = "$resolved2" ]
|
|
|
|
}
|
|
|
|
|
|
|
|
if ! same_dir "${PWD}" "$(git_root)"; then
|
|
|
|
cat << EOF
|
|
|
|
ERR: This script must be invoked from the top level of the git repository
|
|
|
|
|
|
|
|
Hint: This may look something like:
|
|
|
|
env FOO=BAR ./contrib/guix/guix-<blah>
|
|
|
|
|
|
|
|
EOF
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
2022-03-07 11:08:46 +01:00
|
|
|
################
|
|
|
|
# Execute "$@" in a pinned, possibly older version of Guix, for reproducibility
|
|
|
|
# across time.
|
|
|
|
time-machine() {
|
|
|
|
# shellcheck disable=SC2086
|
|
|
|
guix time-machine --url=https://git.savannah.gnu.org/git/guix.git \
|
2022-05-09 22:23:53 +02:00
|
|
|
--commit=998eda3067c7d21e0d9bb3310d2f5a14b8f1c681 \
|
2022-03-07 11:08:46 +01:00
|
|
|
--cores="$JOBS" \
|
|
|
|
--keep-failed \
|
|
|
|
--fallback \
|
|
|
|
${SUBSTITUTE_URLS:+--substitute-urls="$SUBSTITUTE_URLS"} \
|
|
|
|
${ADDITIONAL_GUIX_COMMON_FLAGS} ${ADDITIONAL_GUIX_TIMEMACHINE_FLAGS} \
|
|
|
|
-- "$@"
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2021-04-06 00:59:11 +02:00
|
|
|
################
|
|
|
|
# Set common variables
|
|
|
|
################
|
|
|
|
|
Merge bitcoin/bitcoin#22847: guix/prelude: Override `VERSION` with `FORCE_VERSION`
96cc6bb04f7e173e1f7637b780ac00fc75486671 guix/prelude: Override VERSION with FORCE_VERSION (Carl Dong)
Pull request description:
```
Previously, if the builder exported $VERSION in their environment (as
past Gitian-building docs told them to), but their HEAD does not
actually point to v$VERSION, their build outputs will differ from those
of other builders.
This is because the contrib/guix/guix-* scripts only ever act on the
current git worktree, and does not try to check out $VERSION if $VERSION
is set in the environment.
Setting $VERSION only makes the scripts pretend like the current
worktree is $VERSION.
This problem was seen in jonatack's attestation for all.SHA256SUMS,
where only his bitcoin-22.0rc3-osx-signed.dmg differed from everyone
else's.
Here is my deduced sequence of events:
1. Aug 27th: He guix-builds 22.0rc3 and uploads his attestations up to
guix.sigs
2. Aug 30th, sometime after POSIX time 1630310848: he pulls the latest
changes from master in the same worktree where he guix-built 22.0rc3
and ends up at 7be143a960e2
3. Aug 30th, sometime before POSIX time 1630315907: With his worktree
still on 7be143a960e2, he guix-codesigns. Normally, this would result
in outputs going in guix-build-7be143a960e2, but he had
VERSION=22.0rc3 in his environment, so the guix-* scripts pretended
like he was building 22.0rc3, and used 22.0rc3's guix-build directory
to locate un-codesigned outputs and dump codesigned ones.
However, our SOURCE_DATE_EPOCH defaults to the POSIX time of HEAD
(7be143a960e2), which made all timestamps in the resulting codesigned
DMG 1630310848, 7be143a960e2's POSIX timestamp. This differs from the
POSIX timestamp of 22.0rc3, which is 1630348517. Note that the
windows codesigning procedure does not consider SOURCE_DATE_EPOCH.
We resolve this by only allowing VERSION overrides via the FORCE_VERSION
environment variable.
```
Please ignore the branch name, it's not relevant to the change.
ACKs for top commit:
fanquake:
ACK 96cc6bb04f7e173e1f7637b780ac00fc75486671 - Also makes sense given there are Guix build guides recommending to set `VERSION` as part of the process. i.e https://gist.github.com/hebasto/7293726cbfcd0b58e1cfd5418316cee3.
Tree-SHA512: 9dca3fc637ce11049286a3ebee3cd61cce2125fc51d31cf472fbed7f659e1846fc44062753e0e71bfaec9e7fbab6f040bb88d9d4bc4f8acb28c6890563584acf
2021-09-02 03:35:05 +02:00
|
|
|
VERSION="${FORCE_VERSION:-$(git_head_version)}"
|
2023-03-31 12:01:55 +02:00
|
|
|
DISTNAME="${DISTNAME:-dashcore-${VERSION}}"
|
2021-04-06 00:59:11 +02:00
|
|
|
|
|
|
|
version_base_prefix="${PWD}/guix-build-"
|
|
|
|
VERSION_BASE="${version_base_prefix}${VERSION}" # TOP
|
|
|
|
|
|
|
|
DISTSRC_BASE="${DISTSRC_BASE:-${VERSION_BASE}}"
|
|
|
|
|
|
|
|
OUTDIR_BASE="${OUTDIR_BASE:-${VERSION_BASE}/output}"
|
2021-04-08 23:19:05 +02:00
|
|
|
|
|
|
|
var_base_basename="var"
|
|
|
|
VAR_BASE="${VAR_BASE:-${VERSION_BASE}/${var_base_basename}}"
|
|
|
|
|
|
|
|
profiles_base_basename="profiles"
|
|
|
|
PROFILES_BASE="${PROFILES_BASE:-${VAR_BASE}/${profiles_base_basename}}"
|