mirror of
https://github.com/bitcoin/bitcoin.git
synced 2025-03-05 14:06:27 -05:00
guix-attest: Error out if SHA256SUMS is unexpected
This commit is contained in:
Carl Dong
parent
4cc35daed5
commit
e2c40a4ed5
1 changed files with 69 additions and 29 deletions
|
|
@ -102,15 +102,15 @@ fi
|
||||||
echo "Looking for build output SHA256SUMS fragments in ${OUTDIR_BASE}"
|
echo "Looking for build output SHA256SUMS fragments in ${OUTDIR_BASE}"
|
||||||
|
|
||||||
shopt -s nullglob
|
shopt -s nullglob
|
||||||
OUTDIRS=( "$OUTDIR_BASE"/*/SHA256SUMS.part ) # This expands to an array of directories...
|
sha256sum_fragments=( "$OUTDIR_BASE"/*/SHA256SUMS.part ) # This expands to an array of directories...
|
||||||
shopt -u nullglob
|
shopt -u nullglob
|
||||||
|
|
||||||
noncodesigned_fragments=()
|
noncodesigned_fragments=()
|
||||||
codesigned_fragments=()
|
codesigned_fragments=()
|
||||||
|
|
||||||
if (( ${#OUTDIRS[@]} )); then
|
if (( ${#sha256sum_fragments[@]} )); then
|
||||||
echo "Found build output SHA256SUMS fragments:"
|
echo "Found build output SHA256SUMS fragments:"
|
||||||
for outdir in "${OUTDIRS[@]}"; do
|
for outdir in "${sha256sum_fragments[@]}"; do
|
||||||
echo " '$outdir'"
|
echo " '$outdir'"
|
||||||
case "$outdir" in
|
case "$outdir" in
|
||||||
"$OUTDIR_BASE"/*-codesigned/SHA256SUMS.part)
|
"$OUTDIR_BASE"/*-codesigned/SHA256SUMS.part)
|
||||||
|
|
@ -139,6 +139,26 @@ out_name() {
|
||||||
basename "$(dirname "$1")"
|
basename "$(dirname "$1")"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
shasum_already_exists() {
|
||||||
|
cat <<EOF
|
||||||
|
--
|
||||||
|
|
||||||
|
ERR: An ${1} file already exists for '${VERSION}' and attests
|
||||||
|
differently. You likely previously attested to a partial build (e.g. one
|
||||||
|
where you specified the HOST environment variable).
|
||||||
|
|
||||||
|
See the diff above for more context.
|
||||||
|
|
||||||
|
Hint: You may wish to remove the existing attestations and their signatures by
|
||||||
|
invoking:
|
||||||
|
|
||||||
|
rm '${PWD}/${1}'{,.asc}
|
||||||
|
|
||||||
|
Then try running this script again.
|
||||||
|
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
echo "Attesting to build outputs for version: '${VERSION}'"
|
echo "Attesting to build outputs for version: '${VERSION}'"
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
|
|
@ -147,39 +167,59 @@ mkdir -p "$outsigdir"
|
||||||
(
|
(
|
||||||
cd "$outsigdir"
|
cd "$outsigdir"
|
||||||
|
|
||||||
if [ -e "noncodesigned.SHA256SUMS" ]; then
|
temp_noncodesigned="$(mktemp)"
|
||||||
echo "noncodesigned.SHA256SUMS already exists, using..."
|
trap 'rm -rf -- "$temp_noncodesigned"' EXIT
|
||||||
elif (( ${#noncodesigned_fragments[@]} )); then
|
|
||||||
|
if (( ${#noncodesigned_fragments[@]} )); then
|
||||||
cat "${noncodesigned_fragments[@]}" \
|
cat "${noncodesigned_fragments[@]}" \
|
||||||
| sort -u \
|
| sort -u \
|
||||||
| sort -k2 \
|
| sort -k2 \
|
||||||
> noncodesigned.SHA256SUMS
|
> "$temp_noncodesigned"
|
||||||
else
|
if [ -e noncodesigned.SHA256SUMS ]; then
|
||||||
echo "no noncodesigned outputs found"
|
# The SHA256SUMS already exists, make sure it's exactly what we
|
||||||
fi
|
# expect, error out if not
|
||||||
|
if diff -u noncodesigned.SHA256SUMS "$temp_noncodesigned"; then
|
||||||
if [ -e noncodesigned.SHA256SUMS ]; then
|
echo "A noncodesigned.SHA256SUMS file already exists for '${VERSION}' and is up-to-date."
|
||||||
# noncodesigned.SHA256SUMS already exists, or was produced, let's sanity
|
else
|
||||||
# check it.
|
shasum_already_exists noncodesigned.SHA256SUMS
|
||||||
( cd "$OUTDIR_BASE"; sha256sum -c "$outsigdir"/noncodesigned.SHA256SUMS )
|
exit 1
|
||||||
|
fi
|
||||||
# Now produce all.SHA256SUMS manifest
|
|
||||||
if [ -e "all.SHA256SUMS" ]; then
|
|
||||||
echo "all.SHA256SUMS already there!"
|
|
||||||
elif (( ${#codesigned_fragments[@]} )); then
|
|
||||||
cat "${OUTDIRS[@]}" \
|
|
||||||
| sort -u \
|
|
||||||
| sort -k2 \
|
|
||||||
> all.SHA256SUMS
|
|
||||||
else
|
else
|
||||||
echo "no codesigned outputs found"
|
mv "$temp_noncodesigned" noncodesigned.SHA256SUMS
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -e all.SHA256SUMS ]; then
|
|
||||||
( cd "$OUTDIR_BASE"; sha256sum -c "$outsigdir"/all.SHA256SUMS )
|
|
||||||
fi
|
fi
|
||||||
|
else
|
||||||
|
echo "ERR: No noncodesigned outputs found for '${VERSION}', exiting..."
|
||||||
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
temp_codesigned="$(mktemp)"
|
||||||
|
trap 'rm -rf -- "$temp_codesigned"' EXIT
|
||||||
|
|
||||||
|
if (( ${#codesigned_fragments[@]} )); then
|
||||||
|
# Note: all.SHA256SUMS attests to all of $sha256sum_fragments, but is
|
||||||
|
# not needed if there are no $codesigned_fragments
|
||||||
|
cat "${sha256sum_fragments[@]}" \
|
||||||
|
| sort -u \
|
||||||
|
| sort -k2 \
|
||||||
|
> "$temp_codesigned"
|
||||||
|
if [ -e codesigned.SHA256SUMS ]; then
|
||||||
|
# The SHA256SUMS already exists, make sure it's exactly what we
|
||||||
|
# expect, error out if not
|
||||||
|
if diff -u all.SHA256SUMS "$temp_codesigned"; then
|
||||||
|
echo "An all.SHA256SUMS file already exists for '${VERSION}' and is up-to-date."
|
||||||
|
else
|
||||||
|
shasum_already_exists all.SHA256SUMS
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
mv "$temp_codesigned" codesigned.SHA256SUMS
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
# It is fine to have the codesigned outputs be missing (perhaps the
|
||||||
|
# detached codesigs have not been published yet), just print a log
|
||||||
|
# message instead of erroring out
|
||||||
|
echo "INFO: No codesigned outputs found for '${VERSION}', skipping..."
|
||||||
|
fi
|
||||||
|
|
||||||
if [ -z "$NO_SIGN" ]; then
|
if [ -z "$NO_SIGN" ]; then
|
||||||
echo "Signing SHA256SUMS to produce SHA256SUMS.asc"
|
echo "Signing SHA256SUMS to produce SHA256SUMS.asc"
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue