From e2c40a4ed5272d72fea997bd936fba28bb753226 Mon Sep 17 00:00:00 2001 From: Carl Dong Date: Mon, 14 Jun 2021 17:00:26 -0400 Subject: [PATCH] guix-attest: Error out if SHA256SUMS is unexpected --- contrib/guix/guix-attest | 98 ++++++++++++++++++++++++++++------------ 1 file changed, 69 insertions(+), 29 deletions(-) diff --git a/contrib/guix/guix-attest b/contrib/guix/guix-attest index 7757d4bd28b..c8cf73d4001 100755 --- a/contrib/guix/guix-attest +++ b/contrib/guix/guix-attest @@ -102,15 +102,15 @@ fi echo "Looking for build output SHA256SUMS fragments in ${OUTDIR_BASE}" shopt -s nullglob -OUTDIRS=( "$OUTDIR_BASE"/*/SHA256SUMS.part ) # This expands to an array of directories... +sha256sum_fragments=( "$OUTDIR_BASE"/*/SHA256SUMS.part ) # This expands to an array of directories... shopt -u nullglob noncodesigned_fragments=() codesigned_fragments=() -if (( ${#OUTDIRS[@]} )); then +if (( ${#sha256sum_fragments[@]} )); then echo "Found build output SHA256SUMS fragments:" - for outdir in "${OUTDIRS[@]}"; do + for outdir in "${sha256sum_fragments[@]}"; do echo " '$outdir'" case "$outdir" in "$OUTDIR_BASE"/*-codesigned/SHA256SUMS.part) @@ -139,6 +139,26 @@ out_name() { basename "$(dirname "$1")" } +shasum_already_exists() { +cat < noncodesigned.SHA256SUMS - else - echo "no noncodesigned outputs found" - fi - - if [ -e noncodesigned.SHA256SUMS ]; then - # noncodesigned.SHA256SUMS already exists, or was produced, let's sanity - # check it. - ( cd "$OUTDIR_BASE"; sha256sum -c "$outsigdir"/noncodesigned.SHA256SUMS ) - - # Now produce all.SHA256SUMS manifest - if [ -e "all.SHA256SUMS" ]; then - echo "all.SHA256SUMS already there!" - elif (( ${#codesigned_fragments[@]} )); then - cat "${OUTDIRS[@]}" \ - | sort -u \ - | sort -k2 \ - > all.SHA256SUMS + > "$temp_noncodesigned" + if [ -e noncodesigned.SHA256SUMS ]; then + # The SHA256SUMS already exists, make sure it's exactly what we + # expect, error out if not + if diff -u noncodesigned.SHA256SUMS "$temp_noncodesigned"; then + echo "A noncodesigned.SHA256SUMS file already exists for '${VERSION}' and is up-to-date." + else + shasum_already_exists noncodesigned.SHA256SUMS + exit 1 + fi else - echo "no codesigned outputs found" - fi - - if [ -e all.SHA256SUMS ]; then - ( cd "$OUTDIR_BASE"; sha256sum -c "$outsigdir"/all.SHA256SUMS ) + mv "$temp_noncodesigned" noncodesigned.SHA256SUMS fi + else + echo "ERR: No noncodesigned outputs found for '${VERSION}', exiting..." + exit 1 fi + temp_codesigned="$(mktemp)" + trap 'rm -rf -- "$temp_codesigned"' EXIT + + if (( ${#codesigned_fragments[@]} )); then + # Note: all.SHA256SUMS attests to all of $sha256sum_fragments, but is + # not needed if there are no $codesigned_fragments + cat "${sha256sum_fragments[@]}" \ + | sort -u \ + | sort -k2 \ + > "$temp_codesigned" + if [ -e codesigned.SHA256SUMS ]; then + # The SHA256SUMS already exists, make sure it's exactly what we + # expect, error out if not + if diff -u all.SHA256SUMS "$temp_codesigned"; then + echo "An all.SHA256SUMS file already exists for '${VERSION}' and is up-to-date." + else + shasum_already_exists all.SHA256SUMS + exit 1 + fi + else + mv "$temp_codesigned" codesigned.SHA256SUMS + fi + else + # It is fine to have the codesigned outputs be missing (perhaps the + # detached codesigs have not been published yet), just print a log + # message instead of erroring out + echo "INFO: No codesigned outputs found for '${VERSION}', skipping..." + fi if [ -z "$NO_SIGN" ]; then echo "Signing SHA256SUMS to produce SHA256SUMS.asc"