mirror of
https://github.com/dashpay/dash.git
synced 2024-12-26 20:42:59 +01:00
56d2bc249b
e2c40a4ed5272d72fea997bd936fba28bb753226 guix-attest: Error out if SHA256SUMS is unexpected (Carl Dong)
4cc35daed557f38b080360a89036b2e97a6f78c2 Rewrite guix-{attest,verify} for new hier (Carl Dong)
28a9c9b83924f585b397f0f3b8e9e73780ac0ad6 Make SHA256SUMS fragment right after build (Carl Dong)
Pull request description:
Based on: #22075
Code reviewers: I recommend reading the new `guix-{attest,verify}` files instead of trying to read the diff
The following changes resolve many usability improvements which were pointed out to me:
1. Some maintainers like to extract their "uncodesigned tarball" inside the `output/` directory, resulting in the older `guix-attest` mistakenly attesting to the extracted contents
2. Maintainers whose GPG keys reside on an external smartcard often need to physically interact with the smartcard as a way to approve the signing operation, having one signature per platform means a lot of fidgeting
3. Maintainers wishing to sign on a separate machine now has the option of transferring only a subtree of `output/`, namely `output/*/SHA256SUMS.part`, in order to perform a signature (you may need to specify an `$OUTDIR_BASE` env var)
4. An `all.SHA256SUMS` file should be usable as the base `SHA256SUMS` in bitcoin core torrents and on the release server.
For those who sign on an separate machine than the one you do builds on, the following steps will work:
1. `env GUIX_SIGS_REPO=/home/achow101/guix.sigs SIGNER=achow101 NO_SIGN=1 ./contrib/guix/guix-attest`
2. Copy `/home/achow101/guix.sigs/<tag>/achow101` (which does not yet have signatures) to signing machine
3. Sign the `SHA256SUMS` files:
```bash
for i in "<path-to-achow101>/*.SHA256SUMS"; do
gpg --detach-sign --local-user "<your-key-here>" --armor --output "$i"{.asc,}
done
```
5. Upload `<path-to-achow101>` (now with signatures) to `guix.sigs`
-----
After this change, output directories will now include a `SHA256SUMS.part` fragment, created immediately after a successful build:
```
output
└── x86_64-w64-mingw32
├── bitcoin-4e069f7589da-win64-debug.zip
├── bitcoin-4e069f7589da-win64-setup-unsigned.exe
├── bitcoin-4e069f7589da-win64.zip
├── bitcoin-4e069f7589da-win-unsigned.tar.gz
└── SHA256SUMS.part
```
These `SHA256SUMS.part` fragments look something like:
```
3ebd7262b1a0a5bb757fef1f70e7e14033c70f98c059bc4dbfee5d1992b25825 dist-archive/bitcoin-4e069f7589da.tar.gz
def2e7d3de5ab3e3f955344e75151df4f33713f9101f5295bd13c9375bdf633b x86_64-w64-mingw32/bitcoin-4e069f7589da-win64-debug.zip
643049fe3ee4a4e83a1739607e67b11b7c9b1a66208a6f35a9ff634ba795500e x86_64-w64-mingw32/bitcoin-4e069f7589da-win64-setup-unsigned.exe
a247a1ccec0ccc2e138c648284bd01f6a761f2d8d6d07d91b5b4a6670ec3f288 x86_64-w64-mingw32/bitcoin-4e069f7589da-win-unsigned.tar.gz
fab76a836dcc592e39c04fd2396696633fb6eb56e39ecbf6c909bd173ed4280c x86_64-w64-mingw32/bitcoin-4e069f7589da-win64.zip
```
Meaning that they are valid `SHA256SUMS` files when `sha256sum --check`'d at the `guix-build-*/output` directory level
When `guix-attest` is invoked, these `SHA256SUMS.part` files are combined and sorted (by `-k2`, `LC_ALL=C`) to create:
1. `noncodesigned.SHA256SUMS` for a manifest of all non-codesigned outputs, and
3. `all.SHA256SUMS` for a manifest of all outputs including non-codesigned outputs
Then both files are signed, resulting in the following `guix.sigs` hierarchy:
```
4e069f7589da/
└── dongcarl
├── all.SHA256SUMS
├── all.SHA256SUMS.asc
├── noncodesigned.SHA256SUMS
└── noncodesigned.SHA256SUMS.asc
```
ACKs for top commit:
achow101:
ACK e2c40a4ed5272d72fea997bd936fba28bb753226
hebasto:
ACK e2c40a4ed5272d72fea997bd936fba28bb753226, tested on Linux Mint 20.1 (x86_64) with and w/o `NO_SIGN=1`. Changes in `contrib/guix/libexec/codesign.sh` and `contrib/guix/guix-verify` are reviewed only.
Tree-SHA512: 618aacefb0eb6595735a9ab6a98ea6598fce65f9ccf33fa1e7ef93bf140c0f6cfc16e34870c6aa3e4777dd3f004b92a82a994141879870141742df948ec59c1f
113 lines
3.5 KiB
Bash
Executable File
113 lines
3.5 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
export LC_ALL=C
|
|
set -e -o pipefail
|
|
export TZ=UTC
|
|
|
|
# Although Guix _does_ set umask when building its own packages (in our case,
|
|
# this is all packages in manifest.scm), it does not set it for `guix
|
|
# environment`. It does make sense for at least `guix environment --container`
|
|
# to set umask, so if that change gets merged upstream and we bump the
|
|
# time-machine to a commit which includes the aforementioned change, we can
|
|
# remove this line.
|
|
#
|
|
# This line should be placed before any commands which creates files.
|
|
umask 0022
|
|
|
|
if [ -n "$V" ]; then
|
|
# Print both unexpanded (-v) and expanded (-x) forms of commands as they are
|
|
# read from this file.
|
|
set -vx
|
|
# Set VERBOSE for CMake-based builds
|
|
export VERBOSE="$V"
|
|
fi
|
|
|
|
# Check that required environment variables are set
|
|
cat << EOF
|
|
Required environment variables as seen inside the container:
|
|
UNSIGNED_TARBALL: ${UNSIGNED_TARBALL:?not set}
|
|
DETACHED_SIGS_REPO: ${DETACHED_SIGS_REPO:?not set}
|
|
DIST_ARCHIVE_BASE: ${DIST_ARCHIVE_BASE:?not set}
|
|
DISTNAME: ${DISTNAME:?not set}
|
|
HOST: ${HOST:?not set}
|
|
SOURCE_DATE_EPOCH: ${SOURCE_DATE_EPOCH:?not set}
|
|
DISTSRC: ${DISTSRC:?not set}
|
|
OUTDIR: ${OUTDIR:?not set}
|
|
EOF
|
|
|
|
ACTUAL_OUTDIR="${OUTDIR}"
|
|
OUTDIR="${DISTSRC}/output"
|
|
|
|
git_head_version() {
|
|
local recent_tag
|
|
if recent_tag="$(git -C "$1" describe --exact-match HEAD 2> /dev/null)"; then
|
|
echo "${recent_tag#v}"
|
|
else
|
|
git -C "$1" rev-parse --short=12 HEAD
|
|
fi
|
|
}
|
|
|
|
CODESIGNATURE_GIT_ARCHIVE="${DIST_ARCHIVE_BASE}/${DISTNAME}-codesignatures-$(git_head_version "$DETACHED_SIGS_REPO").tar.gz"
|
|
|
|
# Create the codesignature tarball if not already there
|
|
if [ ! -e "$CODESIGNATURE_GIT_ARCHIVE" ]; then
|
|
mkdir -p "$(dirname "$CODESIGNATURE_GIT_ARCHIVE")"
|
|
git -C "$DETACHED_SIGS_REPO" archive --output="$CODESIGNATURE_GIT_ARCHIVE" HEAD
|
|
fi
|
|
|
|
mkdir -p "$OUTDIR"
|
|
|
|
mkdir -p "$DISTSRC"
|
|
(
|
|
cd "$DISTSRC"
|
|
|
|
tar -xf "$UNSIGNED_TARBALL"
|
|
|
|
mkdir -p codesignatures
|
|
tar -C codesignatures -xf "$CODESIGNATURE_GIT_ARCHIVE"
|
|
|
|
case "$HOST" in
|
|
*mingw*)
|
|
find "$PWD" -name "*-unsigned.exe" | while read -r infile; do
|
|
infile_base="$(basename "$infile")"
|
|
|
|
# Codesigned *-unsigned.exe and output to OUTDIR
|
|
osslsigncode attach-signature \
|
|
-in "$infile" \
|
|
-out "${OUTDIR}/${infile_base/-unsigned}" \
|
|
-sigin codesignatures/win/"$infile_base".pem
|
|
done
|
|
;;
|
|
*darwin*)
|
|
# Apply detached codesignatures to dist/ (in-place)
|
|
signapple apply dist/Bitcoin-Qt.app codesignatures/osx/dist
|
|
|
|
# Make an uncompressed DMG from dist/
|
|
xorrisofs -D -l -V "$(< osx_volname)" -no-pad -r -dir-mode 0755 \
|
|
-o uncompressed.dmg \
|
|
dist \
|
|
-- -volume_date all_file_dates ="$SOURCE_DATE_EPOCH"
|
|
|
|
# Compress uncompressed.dmg and output to OUTDIR
|
|
./dmg dmg uncompressed.dmg "${OUTDIR}/${DISTNAME}-osx-signed.dmg"
|
|
;;
|
|
*)
|
|
exit 1
|
|
;;
|
|
esac
|
|
) # $DISTSRC
|
|
|
|
rm -rf "$ACTUAL_OUTDIR"
|
|
mv --no-target-directory "$OUTDIR" "$ACTUAL_OUTDIR" \
|
|
|| ( rm -rf "$ACTUAL_OUTDIR" && exit 1 )
|
|
|
|
(
|
|
cd /outdir-base
|
|
{
|
|
echo "$UNSIGNED_TARBALL"
|
|
echo "$CODESIGNATURE_GIT_ARCHIVE"
|
|
find "$ACTUAL_OUTDIR" -type f
|
|
} | xargs realpath --relative-base="$PWD" \
|
|
| xargs sha256sum \
|
|
| sponge "$ACTUAL_OUTDIR"/SHA256SUMS.part
|
|
)
|