guix-attest: Error out if SHA256SUMS is unexpected

2025-03-05 14:06:27 -05:00 · 2021-06-14 17:00:26 -04:00 · 2021-06-14 17:00:26 -04:00 · e2c40a4ed5
commit e2c40a4ed5
parent 4cc35daed5
1 changed files with 69 additions and 29 deletions
--- a/contrib/guix/guix-attest
+++ b/contrib/guix/guix-attest
@ -102,15 +102,15 @@ fi
 echo "Looking for build output SHA256SUMS fragments in ${OUTDIR_BASE}"

 shopt -s nullglob
-OUTDIRS=( "$OUTDIR_BASE"/*/SHA256SUMS.part ) # This expands to an array of directories...
+sha256sum_fragments=( "$OUTDIR_BASE"/*/SHA256SUMS.part ) # This expands to an array of directories...
 shopt -u nullglob

 noncodesigned_fragments=()
 codesigned_fragments=()

-if (( ${#OUTDIRS[@]} )); then
+if (( ${#sha256sum_fragments[@]} )); then
    echo "Found build output SHA256SUMS fragments:"
-    for outdir in "${OUTDIRS[@]}"; do
+    for outdir in "${sha256sum_fragments[@]}"; do
        echo "    '$outdir'"
        case "$outdir" in
            "$OUTDIR_BASE"/*-codesigned/SHA256SUMS.part)
@ -139,6 +139,26 @@ out_name() {
    basename "$(dirname "$1")"
 }

+shasum_already_exists() {
+cat <<EOF
+--
+
+ERR: An ${1} file already exists for '${VERSION}' and attests
+     differently. You likely previously attested to a partial build (e.g. one
+     where you specified the HOST environment variable).
+
+     See the diff above for more context.
+
+Hint: You may wish to remove the existing attestations and their signatures by
+      invoking:
+
+          rm '${PWD}/${1}'{,.asc}
+
+      Then try running this script again.
+
+EOF
+}
+
 echo "Attesting to build outputs for version: '${VERSION}'"
 echo ""

@ -147,39 +167,59 @@ mkdir -p "$outsigdir"
 (
    cd "$outsigdir"

-    if [ -e "noncodesigned.SHA256SUMS" ]; then
-        echo "noncodesigned.SHA256SUMS already exists, using..."
-    elif (( ${#noncodesigned_fragments[@]} )); then
+    temp_noncodesigned="$(mktemp)"
+    trap 'rm -rf -- "$temp_noncodesigned"' EXIT
+
+    if (( ${#noncodesigned_fragments[@]} )); then
        cat "${noncodesigned_fragments[@]}" \
            | sort -u \
            | sort -k2 \
-                   > noncodesigned.SHA256SUMS
-    else
-        echo "no noncodesigned outputs found"
-    fi
-
-    if [ -e noncodesigned.SHA256SUMS ]; then
-        # noncodesigned.SHA256SUMS already exists, or was produced, let's sanity
-        # check it.
-        ( cd "$OUTDIR_BASE"; sha256sum -c "$outsigdir"/noncodesigned.SHA256SUMS )
-
-        # Now produce all.SHA256SUMS manifest
-        if [ -e "all.SHA256SUMS" ]; then
-            echo "all.SHA256SUMS already there!"
-        elif (( ${#codesigned_fragments[@]} )); then
-            cat "${OUTDIRS[@]}" \
-                | sort -u \
-                | sort -k2 \
-                       > all.SHA256SUMS
+                   > "$temp_noncodesigned"
+        if [ -e noncodesigned.SHA256SUMS ]; then
+            # The SHA256SUMS already exists, make sure it's exactly what we
+            # expect, error out if not
+            if diff -u noncodesigned.SHA256SUMS "$temp_noncodesigned"; then
+                echo "A noncodesigned.SHA256SUMS file already exists for '${VERSION}' and is up-to-date."
+            else
+                shasum_already_exists noncodesigned.SHA256SUMS
+                exit 1
+            fi
        else
-            echo "no codesigned outputs found"
-        fi
-
-        if [ -e all.SHA256SUMS ]; then
-            ( cd "$OUTDIR_BASE"; sha256sum -c "$outsigdir"/all.SHA256SUMS )
+            mv "$temp_noncodesigned" noncodesigned.SHA256SUMS
        fi
+    else
+        echo "ERR: No noncodesigned outputs found for '${VERSION}', exiting..."
+        exit 1
    fi

+    temp_codesigned="$(mktemp)"
+    trap 'rm -rf -- "$temp_codesigned"' EXIT
+
+    if (( ${#codesigned_fragments[@]} )); then
+        # Note: all.SHA256SUMS attests to all of $sha256sum_fragments, but is
+        #       not needed if there are no $codesigned_fragments
+        cat "${sha256sum_fragments[@]}" \
+            | sort -u \
+            | sort -k2 \
+                   > "$temp_codesigned"
+        if [ -e codesigned.SHA256SUMS ]; then
+            # The SHA256SUMS already exists, make sure it's exactly what we
+            # expect, error out if not
+            if diff -u all.SHA256SUMS "$temp_codesigned"; then
+                echo "An all.SHA256SUMS file already exists for '${VERSION}' and is up-to-date."
+            else
+                shasum_already_exists all.SHA256SUMS
+                exit 1
+            fi
+        else
+            mv "$temp_codesigned" codesigned.SHA256SUMS
+        fi
+    else
+        # It is fine to have the codesigned outputs be missing (perhaps the
+        # detached codesigs have not been published yet), just print a log
+        # message instead of erroring out
+        echo "INFO: No codesigned outputs found for '${VERSION}', skipping..."
+    fi

    if [ -z "$NO_SIGN" ]; then
        echo "Signing SHA256SUMS to produce SHA256SUMS.asc"