2021-05-24 15:31:05 +02:00
|
|
|
#!/usr/bin/env bash
|
|
|
|
export LC_ALL=C
|
|
|
|
set -e -o pipefail
|
|
|
|
export TZ=UTC
|
|
|
|
|
|
|
|
# Although Guix _does_ set umask when building its own packages (in our case,
|
|
|
|
# this is all packages in manifest.scm), it does not set it for `guix
|
Merge bitcoin/bitcoin#26077: guix: switch from `guix environment` to `guix shell`
66c4b58e518aff08030b3c879c44af7716110619 guix: switch from guix environment to guix shell (fanquake)
Pull request description:
See https://guix.gnu.org/manual/devel/en/html_node/Invoking-guix-environment.html.
> Deprecation warning: The guix environment command is deprecated
in favor of guix shell, which performs similar functions but is more convenient to use. See Invoking guix shell.
> Being deprecated, guix environment is slated for eventual removal,
but the Guix project is committed to keeping it until May 1st, 2023. Please get in touch with us at guix-devel@gnu.org if you would like to discuss it.
See also https://guix.gnu.org/blog/2021/from-guix-environment-to-guix-shell/ for a blog post and additional details.
Guix `shell` was added to Guix ~1 year ago, in this commit, https://git.savannah.gnu.org/cgit/guix.git/commit/?id=80edb7df6586464aa40e84e103f0045452de95db, which isn't part of the 1.3.0 release binaries out of the box, but invoking a `guix pull`, and updating will make it available. i.e:
```bash
bash-5.1# guix --version
guix (GNU Guix) 1.3.0
Copyright (C) 2021 the Guix authors
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
bash-5.1# guix shell
guix: shell: command not found
Try 'guix --help' for more information.
bash-5.1# guix pull
Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
Authenticating channel 'guix', commits 9edb3f6 to 7a980bb (6,278 new commits)...
Building from this channel:
guix https://git.savannah.gnu.org/git/guix.git7a980bb
< snip >
building /gnu/store/2wwwsczxcw61m05p4mv0kf0advx4fqsb-inferior-script.scm.drv...
building package cache...
building profile with 1 package...
New in this revision:
6,866 new packages: a2jmidid, abjad,
bash-5.1# guix help shell
Usage: guix shell [OPTION] PACKAGES... [-- COMMAND...]
Build an environment that includes PACKAGES and execute COMMAND or an
interactive shell in that environment.
```
ACKs for top commit:
TheCharlatan:
ACK 66c4b58e518aff08030b3c879c44af7716110619
Tree-SHA512: caa3fd2ca8d0f261c50ecdda3728a75389d24d89b51293dedc704ee77ab1342b2bb08ca8c871dcb4646229f056ec86cb15500934ded1b0c501a3ffc25aaa8ae6
2023-11-30 15:36:16 +01:00
|
|
|
# shell`. It does make sense for at least `guix shell --container`
|
2021-05-24 15:31:05 +02:00
|
|
|
# to set umask, so if that change gets merged upstream and we bump the
|
|
|
|
# time-machine to a commit which includes the aforementioned change, we can
|
|
|
|
# remove this line.
|
|
|
|
#
|
|
|
|
# This line should be placed before any commands which creates files.
|
|
|
|
umask 0022
|
|
|
|
|
|
|
|
if [ -n "$V" ]; then
|
|
|
|
# Print both unexpanded (-v) and expanded (-x) forms of commands as they are
|
|
|
|
# read from this file.
|
|
|
|
set -vx
|
|
|
|
# Set VERBOSE for CMake-based builds
|
|
|
|
export VERBOSE="$V"
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Check that required environment variables are set
|
|
|
|
cat << EOF
|
|
|
|
Required environment variables as seen inside the container:
|
|
|
|
UNSIGNED_TARBALL: ${UNSIGNED_TARBALL:?not set}
|
|
|
|
DETACHED_SIGS_REPO: ${DETACHED_SIGS_REPO:?not set}
|
|
|
|
DIST_ARCHIVE_BASE: ${DIST_ARCHIVE_BASE:?not set}
|
|
|
|
DISTNAME: ${DISTNAME:?not set}
|
|
|
|
HOST: ${HOST:?not set}
|
|
|
|
SOURCE_DATE_EPOCH: ${SOURCE_DATE_EPOCH:?not set}
|
|
|
|
DISTSRC: ${DISTSRC:?not set}
|
|
|
|
OUTDIR: ${OUTDIR:?not set}
|
|
|
|
EOF
|
|
|
|
|
|
|
|
ACTUAL_OUTDIR="${OUTDIR}"
|
|
|
|
OUTDIR="${DISTSRC}/output"
|
|
|
|
|
|
|
|
git_head_version() {
|
2024-02-21 17:47:06 +01:00
|
|
|
recent_tag="$(git -C "$1" describe --abbrev=12 --dirty --always 2> /dev/null)"
|
2024-01-12 04:43:42 +01:00
|
|
|
echo "${recent_tag#v}"
|
2021-05-24 15:31:05 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
CODESIGNATURE_GIT_ARCHIVE="${DIST_ARCHIVE_BASE}/${DISTNAME}-codesignatures-$(git_head_version "$DETACHED_SIGS_REPO").tar.gz"
|
|
|
|
|
|
|
|
# Create the codesignature tarball if not already there
|
|
|
|
if [ ! -e "$CODESIGNATURE_GIT_ARCHIVE" ]; then
|
|
|
|
mkdir -p "$(dirname "$CODESIGNATURE_GIT_ARCHIVE")"
|
|
|
|
git -C "$DETACHED_SIGS_REPO" archive --output="$CODESIGNATURE_GIT_ARCHIVE" HEAD
|
|
|
|
fi
|
|
|
|
|
|
|
|
mkdir -p "$OUTDIR"
|
|
|
|
|
|
|
|
mkdir -p "$DISTSRC"
|
|
|
|
(
|
|
|
|
cd "$DISTSRC"
|
|
|
|
|
|
|
|
tar -xf "$UNSIGNED_TARBALL"
|
|
|
|
|
|
|
|
mkdir -p codesignatures
|
|
|
|
tar -C codesignatures -xf "$CODESIGNATURE_GIT_ARCHIVE"
|
|
|
|
|
|
|
|
case "$HOST" in
|
|
|
|
*mingw*)
|
|
|
|
find "$PWD" -name "*-unsigned.exe" | while read -r infile; do
|
|
|
|
infile_base="$(basename "$infile")"
|
|
|
|
|
|
|
|
# Codesigned *-unsigned.exe and output to OUTDIR
|
|
|
|
osslsigncode attach-signature \
|
|
|
|
-in "$infile" \
|
|
|
|
-out "${OUTDIR}/${infile_base/-unsigned}" \
|
2022-08-03 11:54:15 +02:00
|
|
|
-CAfile "$GUIX_ENVIRONMENT/etc/ssl/certs/ca-certificates.crt" \
|
2021-05-24 15:31:05 +02:00
|
|
|
-sigin codesignatures/win/"$infile_base".pem
|
|
|
|
done
|
|
|
|
;;
|
|
|
|
*darwin*)
|
|
|
|
# Apply detached codesignatures to dist/ (in-place)
|
2023-03-31 12:01:55 +02:00
|
|
|
signapple apply dist/Dash-Qt.app codesignatures/osx/dist
|
2021-05-24 15:31:05 +02:00
|
|
|
|
2024-11-03 11:30:00 +01:00
|
|
|
# Make a DMG from dist/
|
2021-05-24 15:31:05 +02:00
|
|
|
xorrisofs -D -l -V "$(< osx_volname)" -no-pad -r -dir-mode 0755 \
|
2024-11-03 11:30:00 +01:00
|
|
|
-o "${OUTDIR}/${DISTNAME}-${HOST}.dmg" \
|
2021-05-24 15:31:05 +02:00
|
|
|
dist \
|
|
|
|
-- -volume_date all_file_dates ="$SOURCE_DATE_EPOCH"
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
exit 1
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
) # $DISTSRC
|
|
|
|
|
2021-06-09 03:08:32 +02:00
|
|
|
rm -rf "$ACTUAL_OUTDIR"
|
|
|
|
mv --no-target-directory "$OUTDIR" "$ACTUAL_OUTDIR" \
|
|
|
|
|| ( rm -rf "$ACTUAL_OUTDIR" && exit 1 )
|
Merge bitcoin/bitcoin#22182: guix: Overhaul how guix-{attest,verify} works and hierarchy
e2c40a4ed5272d72fea997bd936fba28bb753226 guix-attest: Error out if SHA256SUMS is unexpected (Carl Dong)
4cc35daed557f38b080360a89036b2e97a6f78c2 Rewrite guix-{attest,verify} for new hier (Carl Dong)
28a9c9b83924f585b397f0f3b8e9e73780ac0ad6 Make SHA256SUMS fragment right after build (Carl Dong)
Pull request description:
Based on: #22075
Code reviewers: I recommend reading the new `guix-{attest,verify}` files instead of trying to read the diff
The following changes resolve many usability improvements which were pointed out to me:
1. Some maintainers like to extract their "uncodesigned tarball" inside the `output/` directory, resulting in the older `guix-attest` mistakenly attesting to the extracted contents
2. Maintainers whose GPG keys reside on an external smartcard often need to physically interact with the smartcard as a way to approve the signing operation, having one signature per platform means a lot of fidgeting
3. Maintainers wishing to sign on a separate machine now has the option of transferring only a subtree of `output/`, namely `output/*/SHA256SUMS.part`, in order to perform a signature (you may need to specify an `$OUTDIR_BASE` env var)
4. An `all.SHA256SUMS` file should be usable as the base `SHA256SUMS` in bitcoin core torrents and on the release server.
For those who sign on an separate machine than the one you do builds on, the following steps will work:
1. `env GUIX_SIGS_REPO=/home/achow101/guix.sigs SIGNER=achow101 NO_SIGN=1 ./contrib/guix/guix-attest`
2. Copy `/home/achow101/guix.sigs/<tag>/achow101` (which does not yet have signatures) to signing machine
3. Sign the `SHA256SUMS` files:
```bash
for i in "<path-to-achow101>/*.SHA256SUMS"; do
gpg --detach-sign --local-user "<your-key-here>" --armor --output "$i"{.asc,}
done
```
5. Upload `<path-to-achow101>` (now with signatures) to `guix.sigs`
-----
After this change, output directories will now include a `SHA256SUMS.part` fragment, created immediately after a successful build:
```
output
└── x86_64-w64-mingw32
├── bitcoin-4e069f7589da-win64-debug.zip
├── bitcoin-4e069f7589da-win64-setup-unsigned.exe
├── bitcoin-4e069f7589da-win64.zip
├── bitcoin-4e069f7589da-win-unsigned.tar.gz
└── SHA256SUMS.part
```
These `SHA256SUMS.part` fragments look something like:
```
3ebd7262b1a0a5bb757fef1f70e7e14033c70f98c059bc4dbfee5d1992b25825 dist-archive/bitcoin-4e069f7589da.tar.gz
def2e7d3de5ab3e3f955344e75151df4f33713f9101f5295bd13c9375bdf633b x86_64-w64-mingw32/bitcoin-4e069f7589da-win64-debug.zip
643049fe3ee4a4e83a1739607e67b11b7c9b1a66208a6f35a9ff634ba795500e x86_64-w64-mingw32/bitcoin-4e069f7589da-win64-setup-unsigned.exe
a247a1ccec0ccc2e138c648284bd01f6a761f2d8d6d07d91b5b4a6670ec3f288 x86_64-w64-mingw32/bitcoin-4e069f7589da-win-unsigned.tar.gz
fab76a836dcc592e39c04fd2396696633fb6eb56e39ecbf6c909bd173ed4280c x86_64-w64-mingw32/bitcoin-4e069f7589da-win64.zip
```
Meaning that they are valid `SHA256SUMS` files when `sha256sum --check`'d at the `guix-build-*/output` directory level
When `guix-attest` is invoked, these `SHA256SUMS.part` files are combined and sorted (by `-k2`, `LC_ALL=C`) to create:
1. `noncodesigned.SHA256SUMS` for a manifest of all non-codesigned outputs, and
3. `all.SHA256SUMS` for a manifest of all outputs including non-codesigned outputs
Then both files are signed, resulting in the following `guix.sigs` hierarchy:
```
4e069f7589da/
└── dongcarl
├── all.SHA256SUMS
├── all.SHA256SUMS.asc
├── noncodesigned.SHA256SUMS
└── noncodesigned.SHA256SUMS.asc
```
ACKs for top commit:
achow101:
ACK e2c40a4ed5272d72fea997bd936fba28bb753226
hebasto:
ACK e2c40a4ed5272d72fea997bd936fba28bb753226, tested on Linux Mint 20.1 (x86_64) with and w/o `NO_SIGN=1`. Changes in `contrib/guix/libexec/codesign.sh` and `contrib/guix/guix-verify` are reviewed only.
Tree-SHA512: 618aacefb0eb6595735a9ab6a98ea6598fce65f9ccf33fa1e7ef93bf140c0f6cfc16e34870c6aa3e4777dd3f004b92a82a994141879870141742df948ec59c1f
2021-06-17 07:10:29 +02:00
|
|
|
|
|
|
|
(
|
|
|
|
cd /outdir-base
|
|
|
|
{
|
|
|
|
echo "$UNSIGNED_TARBALL"
|
|
|
|
echo "$CODESIGNATURE_GIT_ARCHIVE"
|
|
|
|
find "$ACTUAL_OUTDIR" -type f
|
|
|
|
} | xargs realpath --relative-base="$PWD" \
|
|
|
|
| xargs sha256sum \
|
2021-07-05 16:40:08 +02:00
|
|
|
| sort -k2 \
|
Merge bitcoin/bitcoin#22182: guix: Overhaul how guix-{attest,verify} works and hierarchy
e2c40a4ed5272d72fea997bd936fba28bb753226 guix-attest: Error out if SHA256SUMS is unexpected (Carl Dong)
4cc35daed557f38b080360a89036b2e97a6f78c2 Rewrite guix-{attest,verify} for new hier (Carl Dong)
28a9c9b83924f585b397f0f3b8e9e73780ac0ad6 Make SHA256SUMS fragment right after build (Carl Dong)
Pull request description:
Based on: #22075
Code reviewers: I recommend reading the new `guix-{attest,verify}` files instead of trying to read the diff
The following changes resolve many usability improvements which were pointed out to me:
1. Some maintainers like to extract their "uncodesigned tarball" inside the `output/` directory, resulting in the older `guix-attest` mistakenly attesting to the extracted contents
2. Maintainers whose GPG keys reside on an external smartcard often need to physically interact with the smartcard as a way to approve the signing operation, having one signature per platform means a lot of fidgeting
3. Maintainers wishing to sign on a separate machine now has the option of transferring only a subtree of `output/`, namely `output/*/SHA256SUMS.part`, in order to perform a signature (you may need to specify an `$OUTDIR_BASE` env var)
4. An `all.SHA256SUMS` file should be usable as the base `SHA256SUMS` in bitcoin core torrents and on the release server.
For those who sign on an separate machine than the one you do builds on, the following steps will work:
1. `env GUIX_SIGS_REPO=/home/achow101/guix.sigs SIGNER=achow101 NO_SIGN=1 ./contrib/guix/guix-attest`
2. Copy `/home/achow101/guix.sigs/<tag>/achow101` (which does not yet have signatures) to signing machine
3. Sign the `SHA256SUMS` files:
```bash
for i in "<path-to-achow101>/*.SHA256SUMS"; do
gpg --detach-sign --local-user "<your-key-here>" --armor --output "$i"{.asc,}
done
```
5. Upload `<path-to-achow101>` (now with signatures) to `guix.sigs`
-----
After this change, output directories will now include a `SHA256SUMS.part` fragment, created immediately after a successful build:
```
output
└── x86_64-w64-mingw32
├── bitcoin-4e069f7589da-win64-debug.zip
├── bitcoin-4e069f7589da-win64-setup-unsigned.exe
├── bitcoin-4e069f7589da-win64.zip
├── bitcoin-4e069f7589da-win-unsigned.tar.gz
└── SHA256SUMS.part
```
These `SHA256SUMS.part` fragments look something like:
```
3ebd7262b1a0a5bb757fef1f70e7e14033c70f98c059bc4dbfee5d1992b25825 dist-archive/bitcoin-4e069f7589da.tar.gz
def2e7d3de5ab3e3f955344e75151df4f33713f9101f5295bd13c9375bdf633b x86_64-w64-mingw32/bitcoin-4e069f7589da-win64-debug.zip
643049fe3ee4a4e83a1739607e67b11b7c9b1a66208a6f35a9ff634ba795500e x86_64-w64-mingw32/bitcoin-4e069f7589da-win64-setup-unsigned.exe
a247a1ccec0ccc2e138c648284bd01f6a761f2d8d6d07d91b5b4a6670ec3f288 x86_64-w64-mingw32/bitcoin-4e069f7589da-win-unsigned.tar.gz
fab76a836dcc592e39c04fd2396696633fb6eb56e39ecbf6c909bd173ed4280c x86_64-w64-mingw32/bitcoin-4e069f7589da-win64.zip
```
Meaning that they are valid `SHA256SUMS` files when `sha256sum --check`'d at the `guix-build-*/output` directory level
When `guix-attest` is invoked, these `SHA256SUMS.part` files are combined and sorted (by `-k2`, `LC_ALL=C`) to create:
1. `noncodesigned.SHA256SUMS` for a manifest of all non-codesigned outputs, and
3. `all.SHA256SUMS` for a manifest of all outputs including non-codesigned outputs
Then both files are signed, resulting in the following `guix.sigs` hierarchy:
```
4e069f7589da/
└── dongcarl
├── all.SHA256SUMS
├── all.SHA256SUMS.asc
├── noncodesigned.SHA256SUMS
└── noncodesigned.SHA256SUMS.asc
```
ACKs for top commit:
achow101:
ACK e2c40a4ed5272d72fea997bd936fba28bb753226
hebasto:
ACK e2c40a4ed5272d72fea997bd936fba28bb753226, tested on Linux Mint 20.1 (x86_64) with and w/o `NO_SIGN=1`. Changes in `contrib/guix/libexec/codesign.sh` and `contrib/guix/guix-verify` are reviewed only.
Tree-SHA512: 618aacefb0eb6595735a9ab6a98ea6598fce65f9ccf33fa1e7ef93bf140c0f6cfc16e34870c6aa3e4777dd3f004b92a82a994141879870141742df948ec59c1f
2021-06-17 07:10:29 +02:00
|
|
|
| sponge "$ACTUAL_OUTDIR"/SHA256SUMS.part
|
|
|
|
)
|