diff --git a/contrib/guix/guix-attest b/contrib/guix/guix-attest index ae0ec53f87..c8ea5f7485 100755 --- a/contrib/guix/guix-attest +++ b/contrib/guix/guix-attest @@ -162,6 +162,18 @@ EOF echo "Attesting to build outputs for version: '${VERSION}'" echo "" +# Given a SHA256SUMS file as stdin that has lines like: +# 0ba536819b221a91d3d42e978be016aac918f40984754d74058aa0c921cd3ea6 a/b/d/c/d/s/bitcoin-22.0rc2-riscv64-linux-gnu.tar.gz +# ... +# +# Replace each line's file name with its basename: +# 0ba536819b221a91d3d42e978be016aac918f40984754d74058aa0c921cd3ea6 bitcoin-22.0rc2-riscv64-linux-gnu.tar.gz +# ... +# +basenameify_SHA256SUMS() { + sed -E 's@(^[[:xdigit:]]{64}[[:space:]]+).+/([^/]+$)@\1\2@' +} + outsigdir="$GUIX_SIGS_REPO/$VERSION/$signer_name" mkdir -p "$outsigdir" ( @@ -174,6 +186,7 @@ mkdir -p "$outsigdir" cat "${noncodesigned_fragments[@]}" \ | sort -u \ | sort -k2 \ + | basenameify_SHA256SUMS \ > "$temp_noncodesigned" if [ -e noncodesigned.SHA256SUMS ]; then # The SHA256SUMS already exists, make sure it's exactly what we @@ -202,6 +215,7 @@ mkdir -p "$outsigdir" | sort -u \ | sort -k2 \ | sed 's/$/\r/' \ + | basenameify_SHA256SUMS \ > "$temp_codesigned" if [ -e codesigned.SHA256SUMS ]; then # The SHA256SUMS already exists, make sure it's exactly what we diff --git a/doc/release-process.md b/doc/release-process.md index d02fdbd71f..a18123bb79 100644 --- a/doc/release-process.md +++ b/doc/release-process.md @@ -163,15 +163,24 @@ cat "$VERSION"/*/all.SHA256SUMS.asc > SHA256SUMS.asc ``` - Upload to the dash.org server: - 1. The contents of /dash/guix-build-${VERSION}/output`, except for + 1. The contents of each `./dash/guix-build-${VERSION}/output/${HOST}/` directory, except for `*-debug*` files. + Guix will output all of the results into host subdirectories, but the SHA256SUMS + file does not include these subdirectories. In order for downloads via torrent + to verify without directory structure modification, all of the uploaded files + need to be in the same directory as the SHA256SUMS file. + The `*-debug*` files generated by the guix build contain debug symbols for troubleshooting by developers. It is assumed that anyone that is interested in debugging can run guix to generate the files for themselves. To avoid end-user confusion about which file to pick, as well as save storage space *do not upload these to the dash.org server*. + ```sh + find guix-build-${VERSION}/output/ -maxdepth 2 -type f -not -name "SHA256SUMS.part" -and -not -name "*debug*" -exec scp {} user@dash.org:/var/www/bin/dash-core-${VERSION} \; + ``` + 2. The `SHA256SUMS` file 3. The `SHA256SUMS.asc` combined signature file you just created