mirror of
https://github.com/dashpay/dash.git
synced 2024-12-25 12:02:48 +01:00
f95b802504
d420e5c1c015f58d07aca4d6a805086488f74d03 guix-attest: Avoid incomplete sigdirs with ERR traps (Carl Dong) feda2c8e3180cb983c35976d4440cea23a155b7f guix: Skip attesting to dist-archive (Carl Dong) d522d8006b891eccd7901faf391f9c041ddf8e38 guix: Attest to inputs in inputs.SHA256SUMS (Carl Dong) f9e2960c018103be756a7f8a506816b49d662514 guix: Construct $OUTDIR in ${DISTSRC}/output (Carl Dong) 022abc85fc7e711a900fed8e5071919a151c0a63 guix: Minor quoting fix in libexec/build.sh (Carl Dong) c83c4fa5b78aef33bba36b3a0d273422297bd630 guix-attest: Allow skipping GPG signing with NO_SIGN (Carl Dong) 0e1c2e448c25568f276e4f022128870c76ca216b guix-attest: Use ascii-armor signatures (Carl Dong) b5fd89c4c89136007429688601ce4fa497f5f09e guix-attest: Only use cross-platform flags for find+xargs (Carl Dong) 5926432ba68ba154df6c8eaa74adb18cc0123167 guix: Add guix-verify script (Carl Dong) 30daf76a97c57a5f74c8dad1da282dcc0ff8b3fb guix: Add guix-attest script (Carl Dong) Pull request description: Adds replacements for `gsign` and `gverify`. Personally I'm not a big fan of using the word "sign" as it's been used to refer to both codesigning and GPG signing. ACKs for top commit: laanwj: Code review and tested ACK d420e5c1c015f58d07aca4d6a805086488f74d03 Tree-SHA512: 93d82d201f4596eaea0e3825aa55b013dfb91790e6ccee79893833d37921513d7b4e735f0641103e1e2ea8308abe4cb6218b73160924708802f2e0e3f7f6caf1
114 lines
3.1 KiB
Bash
Executable File
114 lines
3.1 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
export LC_ALL=C
|
|
set -e -o pipefail
|
|
|
|
# Source the common prelude, which:
|
|
# 1. Checks if we're at the top directory of the Bitcoin Core repository
|
|
# 2. Defines a few common functions and variables
|
|
#
|
|
# shellcheck source=libexec/prelude.bash
|
|
source "$(dirname "${BASH_SOURCE[0]}")/libexec/prelude.bash"
|
|
|
|
|
|
###################
|
|
## Sanity Checks ##
|
|
###################
|
|
|
|
################
|
|
# Required non-builtin commands should be invokable
|
|
################
|
|
|
|
check_tools cat diff gpg
|
|
|
|
################
|
|
# Required env vars should be non-empty
|
|
################
|
|
|
|
cmd_usage() {
|
|
cat <<EOF
|
|
Synopsis:
|
|
|
|
env GUIX_SIGS_REPO=<path/to/guix.sigs> ./contrib/guix/guix-verify
|
|
|
|
EOF
|
|
}
|
|
|
|
if [ -z "$GUIX_SIGS_REPO" ]; then
|
|
cmd_usage
|
|
exit 1
|
|
fi
|
|
|
|
################
|
|
# GUIX_SIGS_REPO should exist as a directory
|
|
################
|
|
|
|
if [ ! -d "$GUIX_SIGS_REPO" ]; then
|
|
cat << EOF
|
|
ERR: The specified GUIX_SIGS_REPO is not an existent directory:
|
|
|
|
'$GUIX_SIGS_REPO'
|
|
|
|
Hint: Please clone the guix.sigs repository and point to it with the
|
|
GUIX_SIGS_REPO environment variable.
|
|
|
|
EOF
|
|
cmd_usage
|
|
exit 1
|
|
fi
|
|
|
|
################
|
|
# We should be able to find at least one output
|
|
################
|
|
|
|
OUTSIGDIR_BASE="${GUIX_SIGS_REPO}/${VERSION}"
|
|
echo "Looking for output signature directories in '${OUTSIGDIR_BASE}'"
|
|
|
|
shopt -s nullglob
|
|
OUTSIGDIRS=( "$OUTSIGDIR_BASE"/* ) # This expands to an array of directories...
|
|
shopt -u nullglob
|
|
|
|
if (( ${#OUTSIGDIRS[@]} )); then
|
|
echo "Found output signature directories:"
|
|
for outsigdir in "${OUTSIGDIRS[@]}"; do
|
|
echo " '$outsigdir'"
|
|
done
|
|
echo
|
|
else
|
|
echo "ERR: Could not find any output signature directories in ${OUTSIGDIR_BASE}"
|
|
exit 1
|
|
fi
|
|
|
|
|
|
##############
|
|
## Verify ##
|
|
##############
|
|
|
|
# MAIN LOGIC: Loop through each output for VERSION and check that the SHA256SUMS
|
|
# and SHA256SUMS.asc file match between signers, using the first
|
|
# available signer as the arbitrary comparison base.
|
|
for outsigdir in "${OUTSIGDIRS[@]}"; do
|
|
echo "BEGIN: Checking output signatures for $(basename "$outsigdir")"
|
|
echo ""
|
|
signer_dirs=( "$outsigdir"/* ) # This expands to an array of directories...
|
|
compare_signer_dir="${signer_dirs[0]}" # ...we just want the first one
|
|
for current_signer_dir in "${signer_dirs[@]}"; do
|
|
if ! gpg --quiet --batch --verify "$current_signer_dir"/SHA256SUMS.asc "$current_signer_dir"/SHA256SUMS; then
|
|
echo "ERR: Failed to verify GPG signature in '${current_signer_dir}/SHA256SUMS.asc'"
|
|
echo ""
|
|
echo "Hint: Either the signature is invalid or the public key is missing"
|
|
echo ""
|
|
elif ! diff --report-identical "$compare_signer_dir"/SHA256SUMS "$current_signer_dir"/SHA256SUMS; then
|
|
echo "ERR: The SHA256SUMS attestation in these two directories differ:"
|
|
echo " '${compare_signer_dir}'"
|
|
echo " '${current_signer_dir}'"
|
|
echo ""
|
|
else
|
|
echo "Verified: '${current_signer_dir}'"
|
|
echo ""
|
|
fi
|
|
done
|
|
echo "DONE: Checking output signatures for $(basename "$outsigdir")"
|
|
echo ""
|
|
echo ""
|
|
done
|