guix-attest: Produce and sign normalized documents

That way we can easily combine the document and detached signature to produce cleartext signature files for upload during the release process. See subsequent commits which modify doc/release-process.md for more details.
2025-02-02 09:46:52 -05:00 · 2021-07-02 19:42:22 -04:00 · 2021-07-02 19:42:22 -04:00 · fcab35b229
commit fcab35b229
parent c2541fd0ca
1 changed files with 20 additions and 2 deletions
--- a/contrib/guix/guix-attest
+++ b/contrib/guix/guix-attest
@ -159,6 +159,20 @@ Hint: You may wish to remove the existing attestations and their signatures by
 EOF
 }

+# Given a document with unix line endings (just <LF>) in stdin, make all lines
+# end in <CR><LF> and make sure there's no trailing <LF> at the end of the file.
+#
+# This is necessary as cleartext signatures are calculated on text after their
+# line endings are canonicalized.
+#
+# For more information:
+#     1. https://security.stackexchange.com/a/104261
+#     2. https://datatracker.ietf.org/doc/html/rfc4880#section-7.1
+#
+rfc4880_normalize_document() {
+    sed 's/$/\r/' | head -c -2
+}
+
 echo "Attesting to build outputs for version: '${VERSION}'"
 echo ""

@ -174,7 +188,8 @@ mkdir -p "$outsigdir"
        cat "${noncodesigned_fragments[@]}" \
            | sort -u \
            | sort -k2 \
-                   > "$temp_noncodesigned"
+            | rfc4880_normalize_document \
+                > "$temp_noncodesigned"
        if [ -e noncodesigned.SHA256SUMS ]; then
            # The SHA256SUMS already exists, make sure it's exactly what we
            # expect, error out if not
@ -201,7 +216,9 @@ mkdir -p "$outsigdir"
        cat "${sha256sum_fragments[@]}" \
            | sort -u \
            | sort -k2 \
-                   > "$temp_codesigned"
+            | sed 's/$/\r/' \
+            | rfc4880_normalize_document \
+                > "$temp_codesigned"
        if [ -e codesigned.SHA256SUMS ]; then
            # The SHA256SUMS already exists, make sure it's exactly what we
            # expect, error out if not
@ -226,6 +243,7 @@ mkdir -p "$outsigdir"
        for i in *.SHA256SUMS; do
            if [ ! -e "$i".asc ]; then
                gpg --detach-sign \
+                    --digest-algo sha256 \
                    --local-user "$gpg_key_name" \
                    --armor \
                    --output "$i".asc "$i"