dash/contrib/guix/guix-verify
W. J. van der Laan f95b802504 Merge bitcoin/bitcoin#21462: guix: Add guix-{attest,verify} scripts
d420e5c1c015f58d07aca4d6a805086488f74d03 guix-attest: Avoid incomplete sigdirs with ERR traps (Carl Dong)
feda2c8e3180cb983c35976d4440cea23a155b7f guix: Skip attesting to dist-archive (Carl Dong)
d522d8006b891eccd7901faf391f9c041ddf8e38 guix: Attest to inputs in inputs.SHA256SUMS (Carl Dong)
f9e2960c018103be756a7f8a506816b49d662514 guix: Construct $OUTDIR in ${DISTSRC}/output (Carl Dong)
022abc85fc7e711a900fed8e5071919a151c0a63 guix: Minor quoting fix in libexec/build.sh (Carl Dong)
c83c4fa5b78aef33bba36b3a0d273422297bd630 guix-attest: Allow skipping GPG signing with NO_SIGN (Carl Dong)
0e1c2e448c25568f276e4f022128870c76ca216b guix-attest: Use ascii-armor signatures (Carl Dong)
b5fd89c4c89136007429688601ce4fa497f5f09e guix-attest: Only use cross-platform flags for find+xargs (Carl Dong)
5926432ba68ba154df6c8eaa74adb18cc0123167 guix: Add guix-verify script (Carl Dong)
30daf76a97c57a5f74c8dad1da282dcc0ff8b3fb guix: Add guix-attest script (Carl Dong)

Pull request description:

  Adds replacements for `gsign` and `gverify`.

  Personally I'm not a big fan of using the word "sign" as it's been used to refer to both codesigning and GPG signing.

ACKs for top commit:
  laanwj:
    Code review and tested ACK d420e5c1c015f58d07aca4d6a805086488f74d03

Tree-SHA512: 93d82d201f4596eaea0e3825aa55b013dfb91790e6ccee79893833d37921513d7b4e735f0641103e1e2ea8308abe4cb6218b73160924708802f2e0e3f7f6caf1
2023-03-26 16:50:26 -05:00

114 lines
3.1 KiB
Bash
Executable File

#!/usr/bin/env bash
export LC_ALL=C
set -e -o pipefail
# Source the common prelude, which:
# 1. Checks if we're at the top directory of the Bitcoin Core repository
# 2. Defines a few common functions and variables
#
# shellcheck source=libexec/prelude.bash
source "$(dirname "${BASH_SOURCE[0]}")/libexec/prelude.bash"
###################
## Sanity Checks ##
###################
################
# Required non-builtin commands should be invokable
################
check_tools cat diff gpg
################
# Required env vars should be non-empty
################
cmd_usage() {
cat <<EOF
Synopsis:
env GUIX_SIGS_REPO=<path/to/guix.sigs> ./contrib/guix/guix-verify
EOF
}
if [ -z "$GUIX_SIGS_REPO" ]; then
cmd_usage
exit 1
fi
################
# GUIX_SIGS_REPO should exist as a directory
################
if [ ! -d "$GUIX_SIGS_REPO" ]; then
cat << EOF
ERR: The specified GUIX_SIGS_REPO is not an existent directory:
'$GUIX_SIGS_REPO'
Hint: Please clone the guix.sigs repository and point to it with the
GUIX_SIGS_REPO environment variable.
EOF
cmd_usage
exit 1
fi
################
# We should be able to find at least one output
################
OUTSIGDIR_BASE="${GUIX_SIGS_REPO}/${VERSION}"
echo "Looking for output signature directories in '${OUTSIGDIR_BASE}'"
shopt -s nullglob
OUTSIGDIRS=( "$OUTSIGDIR_BASE"/* ) # This expands to an array of directories...
shopt -u nullglob
if (( ${#OUTSIGDIRS[@]} )); then
echo "Found output signature directories:"
for outsigdir in "${OUTSIGDIRS[@]}"; do
echo " '$outsigdir'"
done
echo
else
echo "ERR: Could not find any output signature directories in ${OUTSIGDIR_BASE}"
exit 1
fi
##############
## Verify ##
##############
# MAIN LOGIC: Loop through each output for VERSION and check that the SHA256SUMS
# and SHA256SUMS.asc file match between signers, using the first
# available signer as the arbitrary comparison base.
for outsigdir in "${OUTSIGDIRS[@]}"; do
echo "BEGIN: Checking output signatures for $(basename "$outsigdir")"
echo ""
signer_dirs=( "$outsigdir"/* ) # This expands to an array of directories...
compare_signer_dir="${signer_dirs[0]}" # ...we just want the first one
for current_signer_dir in "${signer_dirs[@]}"; do
if ! gpg --quiet --batch --verify "$current_signer_dir"/SHA256SUMS.asc "$current_signer_dir"/SHA256SUMS; then
echo "ERR: Failed to verify GPG signature in '${current_signer_dir}/SHA256SUMS.asc'"
echo ""
echo "Hint: Either the signature is invalid or the public key is missing"
echo ""
elif ! diff --report-identical "$compare_signer_dir"/SHA256SUMS "$current_signer_dir"/SHA256SUMS; then
echo "ERR: The SHA256SUMS attestation in these two directories differ:"
echo " '${compare_signer_dir}'"
echo " '${current_signer_dir}'"
echo ""
else
echo "Verified: '${current_signer_dir}'"
echo ""
fi
done
echo "DONE: Checking output signatures for $(basename "$outsigdir")"
echo ""
echo ""
done