diff options
| author | Carl Dong <contact@carldong.me> | 2021-07-02 19:42:22 -0400 |
|---|---|---|
| committer | Carl Dong <contact@carldong.me> | 2021-07-19 18:24:36 -0400 |
| commit | fcab35b2292f9221eaba521740e8b3b2511a8b78 (patch) | |
| tree | b6691ce087ce686b8c1a74548b0878cf165616af | |
| parent | c2541fd0ca99481a5a792a8f2772925d64fb0491 (diff) | |
guix-attest: Produce and sign normalized documents
That way we can easily combine the document and detached signature to
produce cleartext signature files for upload during the release process.
See subsequent commits which modify doc/release-process.md for more
details.
| -rwxr-xr-x | contrib/guix/guix-attest | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/contrib/guix/guix-attest b/contrib/guix/guix-attest index e396d3e98e..51d589c1de 100755 --- a/contrib/guix/guix-attest +++ b/contrib/guix/guix-attest @@ -159,6 +159,20 @@ Hint: You may wish to remove the existing attestations and their signatures by EOF } +# Given a document with unix line endings (just <LF>) in stdin, make all lines +# end in <CR><LF> and make sure there's no trailing <LF> at the end of the file. +# +# This is necessary as cleartext signatures are calculated on text after their +# line endings are canonicalized. +# +# For more information: +# 1. https://security.stackexchange.com/a/104261 +# 2. https://datatracker.ietf.org/doc/html/rfc4880#section-7.1 +# +rfc4880_normalize_document() { + sed 's/$/\r/' | head -c -2 +} + echo "Attesting to build outputs for version: '${VERSION}'" echo "" @@ -174,7 +188,8 @@ mkdir -p "$outsigdir" cat "${noncodesigned_fragments[@]}" \ | sort -u \ | sort -k2 \ - > "$temp_noncodesigned" + | rfc4880_normalize_document \ + > "$temp_noncodesigned" if [ -e noncodesigned.SHA256SUMS ]; then # The SHA256SUMS already exists, make sure it's exactly what we # expect, error out if not @@ -201,7 +216,9 @@ mkdir -p "$outsigdir" cat "${sha256sum_fragments[@]}" \ | sort -u \ | sort -k2 \ - > "$temp_codesigned" + | sed 's/$/\r/' \ + | rfc4880_normalize_document \ + > "$temp_codesigned" if [ -e codesigned.SHA256SUMS ]; then # The SHA256SUMS already exists, make sure it's exactly what we # expect, error out if not @@ -226,6 +243,7 @@ mkdir -p "$outsigdir" for i in *.SHA256SUMS; do if [ ! -e "$i".asc ]; then gpg --detach-sign \ + --digest-algo sha256 \ --local-user "$gpg_key_name" \ --armor \ --output "$i".asc "$i" |