mirror of
https://github.com/dashpay/dash.git
synced 2024-12-24 19:42:46 +01:00
Merge bitcoin/bitcoin#22531: guix: Fixes to guix-{attest,verify}
9b313dfef18792fcc36e78ef3caa693fafcce04e guix: Ensure EPOCH_SOURCE_DATE does not include GPG information (Andrew Chow) 43225f0a2a517ccd79dc49279b979ffd2eca6b85 guix: Remove extra \r from all.SHA256SUMS line ending (Andrew Chow) d080c27066449f76bc8709fc50e422757971d2cf guix, doc: Add a note that codesigners need to rebuild after tagging (Andrew Chow) 4a466388a0092fbdf5f8969c6bfb65bf8cc962e1 guix: Allow changing the base manifest in guix-verify (Andrew Chow) 33455c76964b9e27b33e970d9722cc47657b291b guix: Make all.SHA256SUMS rather than codesigned.SHA256SUMS (Andrew Chow) Pull request description: `guix-verify` expects `all.SHA256SUMS` but `guix-attest` produces `codesigned.SHA256SUMS`. Since `all.SHA256SUMS` makes more sense (as the file contains all the sha256sums, not just the codesigned ones), `guix-attest` has been changed to output a file of that name. As a quality of life improvement, `guix-verify` can take `SIGNER` and use the signer's manifest as the base to compare against. This makes it easier to compare a single person's attestations with everyone else's and can make it more obvious when one builder is clearly mismatching with everyone else. Lastly `release-process.md` is updated with a note about a gotcha that can cause a mismatch in the codesigned attestation. ACKs for top commit: fanquake: ACK 9b313dfef18792fcc36e78ef3caa693fafcce04e Tree-SHA512: 0d60627def38288dbd3059ad1e72cad224f9205da11b1a561c082ef28250a074df5cc5f2797c91a7be027bc486a3fda3319c2e496a8724e5b539337236c6f990
This commit is contained in:
parent
83ec7f2070
commit
fbc2a50388
@ -213,8 +213,8 @@ mkdir -p "$outsigdir"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
temp_codesigned="$(mktemp)"
|
||||
trap 'rm -rf -- "$temp_codesigned"' EXIT
|
||||
temp_all="$(mktemp)"
|
||||
trap 'rm -rf -- "$temp_all"' EXIT
|
||||
|
||||
if (( ${#codesigned_fragments[@]} )); then
|
||||
# Note: all.SHA256SUMS attests to all of $sha256sum_fragments, but is
|
||||
@ -222,20 +222,19 @@ mkdir -p "$outsigdir"
|
||||
cat "${sha256sum_fragments[@]}" \
|
||||
| sort -u \
|
||||
| sort -k2 \
|
||||
| sed 's/$/\r/' \
|
||||
| basenameify_SHA256SUMS \
|
||||
> "$temp_codesigned"
|
||||
if [ -e codesigned.SHA256SUMS ]; then
|
||||
> "$temp_all"
|
||||
if [ -e all.SHA256SUMS ]; then
|
||||
# The SHA256SUMS already exists, make sure it's exactly what we
|
||||
# expect, error out if not
|
||||
if diff -u all.SHA256SUMS "$temp_codesigned"; then
|
||||
if diff -u all.SHA256SUMS "$temp_all"; then
|
||||
echo "An all.SHA256SUMS file already exists for '${VERSION}' and is up-to-date."
|
||||
else
|
||||
shasum_already_exists all.SHA256SUMS
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
mv "$temp_codesigned" codesigned.SHA256SUMS
|
||||
mv "$temp_all" all.SHA256SUMS
|
||||
fi
|
||||
else
|
||||
# It is fine to have the codesigned outputs be missing (perhaps the
|
||||
|
@ -233,7 +233,7 @@ host_to_commonname() {
|
||||
}
|
||||
|
||||
# Determine the reference time used for determinism (overridable by environment)
|
||||
SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-$(git log --format=%at -1)}"
|
||||
SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-$(git -c log.showSignature=false log --format=%at -1)}"
|
||||
|
||||
# Precious directories are those which should not be cleaned between successive
|
||||
# guix builds
|
||||
|
@ -220,7 +220,7 @@ fi
|
||||
JOBS="${JOBS:-$(nproc)}"
|
||||
|
||||
# Determine the reference time used for determinism (overridable by environment)
|
||||
SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-$(git log --format=%at -1)}"
|
||||
SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-$(git -c log.showSignature=false log --format=%at -1)}"
|
||||
|
||||
# Make sure an output directory exists for our builds
|
||||
OUTDIR_BASE="${OUTDIR_BASE:-${VERSION_BASE}/output}"
|
||||
|
@ -28,7 +28,11 @@ cmd_usage() {
|
||||
cat <<EOF
|
||||
Synopsis:
|
||||
|
||||
env GUIX_SIGS_REPO=<path/to/guix.sigs> ./contrib/guix/guix-verify
|
||||
env GUIX_SIGS_REPO=<path/to/guix.sigs> [ SIGNER=<signer> ] ./contrib/guix/guix-verify
|
||||
|
||||
Example overriding signer's manifest to use as base
|
||||
|
||||
env GUIX_SIGS_REPO=/home/dongcarl/guix.sigs SIGNER=achow101 ./contrib/guix/guix-verify
|
||||
|
||||
EOF
|
||||
}
|
||||
@ -94,6 +98,17 @@ echo "--------------------"
|
||||
echo ""
|
||||
if (( ${#all_noncodesigned[@]} )); then
|
||||
compare_noncodesigned="${all_noncodesigned[0]}"
|
||||
if [[ -n "$SIGNER" ]]; then
|
||||
signer_noncodesigned="$OUTSIGDIR_BASE/$SIGNER/noncodesigned.SHA256SUMS"
|
||||
if [[ -f "$signer_noncodesigned" ]]; then
|
||||
echo "Using $SIGNER's manifest as the base to compare against"
|
||||
compare_noncodesigned="$signer_noncodesigned"
|
||||
else
|
||||
echo "Unable to find $SIGNER's manifest, using the first one found"
|
||||
fi
|
||||
else
|
||||
echo "No SIGNER provided, using the first manifest found"
|
||||
fi
|
||||
|
||||
for current_manifest in "${all_noncodesigned[@]}"; do
|
||||
verify "$compare_noncodesigned" "$current_manifest"
|
||||
@ -114,6 +129,17 @@ echo "--------------------"
|
||||
echo ""
|
||||
if (( ${#all_all[@]} )); then
|
||||
compare_all="${all_all[0]}"
|
||||
if [[ -n "$SIGNER" ]]; then
|
||||
signer_all="$OUTSIGDIR_BASE/$SIGNER/all.SHA256SUMS"
|
||||
if [[ -f "$signer_all" ]]; then
|
||||
echo "Using $SIGNER's manifest as the base to compare against"
|
||||
compare_all="$signer_all"
|
||||
else
|
||||
echo "Unable to find $SIGNER's manifest, using the first one found"
|
||||
fi
|
||||
else
|
||||
echo "No SIGNER provided, using the first manifest found"
|
||||
fi
|
||||
|
||||
for current_manifest in "${all_all[@]}"; do
|
||||
verify "$compare_all" "$current_manifest"
|
||||
|
@ -145,6 +145,9 @@ Codesigner only: Sign the windows binaries:
|
||||
* Enter the passphrase for the key when prompted
|
||||
* `signature-win.tar.gz` will be created
|
||||
|
||||
Code-signer only: It is advised to test that the code signature attaches properly prior to tagging by performing the `guix-codesign` step.
|
||||
However if this is done, once the release has been tagged in the bitcoin-detached-sigs repo, the `guix-codesign` step must be performed again in order for the guix attestation to be valid when compared against the attestations of non-codesigner builds.
|
||||
|
||||
Codesigner only: Commit the detached codesign payloads:
|
||||
|
||||
```sh
|
||||
|
Loading…
Reference in New Issue
Block a user