mirror of
https://github.com/dashpay/dash.git
synced 2024-12-27 04:52:59 +01:00
fbc2a50388
9b313dfef18792fcc36e78ef3caa693fafcce04e guix: Ensure EPOCH_SOURCE_DATE does not include GPG information (Andrew Chow) 43225f0a2a517ccd79dc49279b979ffd2eca6b85 guix: Remove extra \r from all.SHA256SUMS line ending (Andrew Chow) d080c27066449f76bc8709fc50e422757971d2cf guix, doc: Add a note that codesigners need to rebuild after tagging (Andrew Chow) 4a466388a0092fbdf5f8969c6bfb65bf8cc962e1 guix: Allow changing the base manifest in guix-verify (Andrew Chow) 33455c76964b9e27b33e970d9722cc47657b291b guix: Make all.SHA256SUMS rather than codesigned.SHA256SUMS (Andrew Chow) Pull request description: `guix-verify` expects `all.SHA256SUMS` but `guix-attest` produces `codesigned.SHA256SUMS`. Since `all.SHA256SUMS` makes more sense (as the file contains all the sha256sums, not just the codesigned ones), `guix-attest` has been changed to output a file of that name. As a quality of life improvement, `guix-verify` can take `SIGNER` and use the signer's manifest as the base to compare against. This makes it easier to compare a single person's attestations with everyone else's and can make it more obvious when one builder is clearly mismatching with everyone else. Lastly `release-process.md` is updated with a note about a gotcha that can cause a mismatch in the codesigned attestation. ACKs for top commit: fanquake: ACK 9b313dfef18792fcc36e78ef3caa693fafcce04e Tree-SHA512: 0d60627def38288dbd3059ad1e72cad224f9205da11b1a561c082ef28250a074df5cc5f2797c91a7be027bc486a3fda3319c2e496a8724e5b539337236c6f990
175 lines
4.7 KiB
Bash
Executable File
175 lines
4.7 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
export LC_ALL=C
|
|
set -e -o pipefail
|
|
|
|
# Source the common prelude, which:
|
|
# 1. Checks if we're at the top directory of the Dash Core repository
|
|
# 2. Defines a few common functions and variables
|
|
#
|
|
# shellcheck source=libexec/prelude.bash
|
|
source "$(dirname "${BASH_SOURCE[0]}")/libexec/prelude.bash"
|
|
|
|
|
|
###################
|
|
## Sanity Checks ##
|
|
###################
|
|
|
|
################
|
|
# Required non-builtin commands should be invokable
|
|
################
|
|
|
|
check_tools cat diff gpg
|
|
|
|
################
|
|
# Required env vars should be non-empty
|
|
################
|
|
|
|
cmd_usage() {
|
|
cat <<EOF
|
|
Synopsis:
|
|
|
|
env GUIX_SIGS_REPO=<path/to/guix.sigs> [ SIGNER=<signer> ] ./contrib/guix/guix-verify
|
|
|
|
Example overriding signer's manifest to use as base
|
|
|
|
env GUIX_SIGS_REPO=/home/dongcarl/guix.sigs SIGNER=achow101 ./contrib/guix/guix-verify
|
|
|
|
EOF
|
|
}
|
|
|
|
if [ -z "$GUIX_SIGS_REPO" ]; then
|
|
cmd_usage
|
|
exit 1
|
|
fi
|
|
|
|
################
|
|
# GUIX_SIGS_REPO should exist as a directory
|
|
################
|
|
|
|
if [ ! -d "$GUIX_SIGS_REPO" ]; then
|
|
cat << EOF
|
|
ERR: The specified GUIX_SIGS_REPO is not an existent directory:
|
|
|
|
'$GUIX_SIGS_REPO'
|
|
|
|
Hint: Please clone the guix.sigs repository and point to it with the
|
|
GUIX_SIGS_REPO environment variable.
|
|
|
|
EOF
|
|
cmd_usage
|
|
exit 1
|
|
fi
|
|
|
|
##############
|
|
## Verify ##
|
|
##############
|
|
|
|
OUTSIGDIR_BASE="${GUIX_SIGS_REPO}/${VERSION}"
|
|
echo "Looking for signature directories in '${OUTSIGDIR_BASE}'"
|
|
echo ""
|
|
|
|
# Usage: verify compare_manifest current_manifest
|
|
verify() {
|
|
local compare_manifest="$1"
|
|
local current_manifest="$2"
|
|
if ! gpg --quiet --batch --verify "$current_manifest".asc "$current_manifest" 1>&2; then
|
|
echo "ERR: Failed to verify GPG signature in '${current_manifest}'"
|
|
echo ""
|
|
echo "Hint: Either the signature is invalid or the public key is missing"
|
|
echo ""
|
|
failure=1
|
|
elif ! diff --report-identical "$compare_manifest" "$current_manifest" 1>&2; then
|
|
echo "ERR: The SHA256SUMS attestation in these two directories differ:"
|
|
echo " '${compare_manifest}'"
|
|
echo " '${current_manifest}'"
|
|
echo ""
|
|
failure=1
|
|
else
|
|
echo "Verified: '${current_manifest}'"
|
|
echo ""
|
|
fi
|
|
}
|
|
|
|
shopt -s nullglob
|
|
all_noncodesigned=( "$OUTSIGDIR_BASE"/*/noncodesigned.SHA256SUMS )
|
|
shopt -u nullglob
|
|
|
|
echo "--------------------"
|
|
echo ""
|
|
if (( ${#all_noncodesigned[@]} )); then
|
|
compare_noncodesigned="${all_noncodesigned[0]}"
|
|
if [[ -n "$SIGNER" ]]; then
|
|
signer_noncodesigned="$OUTSIGDIR_BASE/$SIGNER/noncodesigned.SHA256SUMS"
|
|
if [[ -f "$signer_noncodesigned" ]]; then
|
|
echo "Using $SIGNER's manifest as the base to compare against"
|
|
compare_noncodesigned="$signer_noncodesigned"
|
|
else
|
|
echo "Unable to find $SIGNER's manifest, using the first one found"
|
|
fi
|
|
else
|
|
echo "No SIGNER provided, using the first manifest found"
|
|
fi
|
|
|
|
for current_manifest in "${all_noncodesigned[@]}"; do
|
|
verify "$compare_noncodesigned" "$current_manifest"
|
|
done
|
|
|
|
echo "DONE: Checking output signatures for noncodesigned.SHA256SUMS"
|
|
echo ""
|
|
else
|
|
echo "WARN: No signature directories with noncodesigned.SHA256SUMS found"
|
|
echo ""
|
|
fi
|
|
|
|
shopt -s nullglob
|
|
all_all=( "$OUTSIGDIR_BASE"/*/all.SHA256SUMS )
|
|
shopt -u nullglob
|
|
|
|
echo "--------------------"
|
|
echo ""
|
|
if (( ${#all_all[@]} )); then
|
|
compare_all="${all_all[0]}"
|
|
if [[ -n "$SIGNER" ]]; then
|
|
signer_all="$OUTSIGDIR_BASE/$SIGNER/all.SHA256SUMS"
|
|
if [[ -f "$signer_all" ]]; then
|
|
echo "Using $SIGNER's manifest as the base to compare against"
|
|
compare_all="$signer_all"
|
|
else
|
|
echo "Unable to find $SIGNER's manifest, using the first one found"
|
|
fi
|
|
else
|
|
echo "No SIGNER provided, using the first manifest found"
|
|
fi
|
|
|
|
for current_manifest in "${all_all[@]}"; do
|
|
verify "$compare_all" "$current_manifest"
|
|
done
|
|
|
|
# Sanity check: there should be no entries that exist in
|
|
# noncodesigned.SHA256SUMS that doesn't exist in all.SHA256SUMS
|
|
if [[ "$(comm -23 <(sort "$compare_noncodesigned") <(sort "$compare_all") | wc -c)" -ne 0 ]]; then
|
|
echo "ERR: There are unique lines in noncodesigned.SHA256SUMS which"
|
|
echo " do not exist in all.SHA256SUMS, something went very wrong."
|
|
exit 1
|
|
fi
|
|
|
|
echo "DONE: Checking output signatures for all.SHA256SUMS"
|
|
echo ""
|
|
else
|
|
echo "WARN: No signature directories with all.SHA256SUMS found"
|
|
echo ""
|
|
fi
|
|
|
|
echo "===================="
|
|
echo ""
|
|
if (( ${#all_noncodesigned[@]} + ${#all_all[@]} == 0 )); then
|
|
echo "ERR: Unable to perform any verifications as no signature directories"
|
|
echo " were found"
|
|
echo ""
|
|
exit 1
|
|
fi
|
|
|
|
if [ -n "$failure" ]; then
|
|
exit 1
|
|
fi
|