diff options
author | Carl Dong <contact@carldong.me> | 2021-06-14 17:00:26 -0400 |
---|---|---|
committer | Carl Dong <contact@carldong.me> | 2021-06-14 17:05:26 -0400 |
commit | e2c40a4ed5272d72fea997bd936fba28bb753226 (patch) | |
tree | 0d763e29f29b984a8b203be7d64592f7afd1aa36 | |
parent | 4cc35daed557f38b080360a89036b2e97a6f78c2 (diff) |
guix-attest: Error out if SHA256SUMS is unexpected
-rwxr-xr-x | contrib/guix/guix-attest | 94 |
1 files changed, 67 insertions, 27 deletions
diff --git a/contrib/guix/guix-attest b/contrib/guix/guix-attest index 7757d4bd28..c8cf73d400 100755 --- a/contrib/guix/guix-attest +++ b/contrib/guix/guix-attest @@ -102,15 +102,15 @@ fi echo "Looking for build output SHA256SUMS fragments in ${OUTDIR_BASE}" shopt -s nullglob -OUTDIRS=( "$OUTDIR_BASE"/*/SHA256SUMS.part ) # This expands to an array of directories... +sha256sum_fragments=( "$OUTDIR_BASE"/*/SHA256SUMS.part ) # This expands to an array of directories... shopt -u nullglob noncodesigned_fragments=() codesigned_fragments=() -if (( ${#OUTDIRS[@]} )); then +if (( ${#sha256sum_fragments[@]} )); then echo "Found build output SHA256SUMS fragments:" - for outdir in "${OUTDIRS[@]}"; do + for outdir in "${sha256sum_fragments[@]}"; do echo " '$outdir'" case "$outdir" in "$OUTDIR_BASE"/*-codesigned/SHA256SUMS.part) @@ -139,6 +139,26 @@ out_name() { basename "$(dirname "$1")" } +shasum_already_exists() { +cat <<EOF +-- + +ERR: An ${1} file already exists for '${VERSION}' and attests + differently. You likely previously attested to a partial build (e.g. one + where you specified the HOST environment variable). + + See the diff above for more context. + +Hint: You may wish to remove the existing attestations and their signatures by + invoking: + + rm '${PWD}/${1}'{,.asc} + + Then try running this script again. + +EOF +} + echo "Attesting to build outputs for version: '${VERSION}'" echo "" @@ -147,40 +167,60 @@ mkdir -p "$outsigdir" ( cd "$outsigdir" - if [ -e "noncodesigned.SHA256SUMS" ]; then - echo "noncodesigned.SHA256SUMS already exists, using..." - elif (( ${#noncodesigned_fragments[@]} )); then + temp_noncodesigned="$(mktemp)" + trap 'rm -rf -- "$temp_noncodesigned"' EXIT + + if (( ${#noncodesigned_fragments[@]} )); then cat "${noncodesigned_fragments[@]}" \ | sort -u \ | sort -k2 \ - > noncodesigned.SHA256SUMS + > "$temp_noncodesigned" + if [ -e noncodesigned.SHA256SUMS ]; then + # The SHA256SUMS already exists, make sure it's exactly what we + # expect, error out if not + if diff -u noncodesigned.SHA256SUMS "$temp_noncodesigned"; then + echo "A noncodesigned.SHA256SUMS file already exists for '${VERSION}' and is up-to-date." + else + shasum_already_exists noncodesigned.SHA256SUMS + exit 1 + fi + else + mv "$temp_noncodesigned" noncodesigned.SHA256SUMS + fi else - echo "no noncodesigned outputs found" + echo "ERR: No noncodesigned outputs found for '${VERSION}', exiting..." + exit 1 fi - if [ -e noncodesigned.SHA256SUMS ]; then - # noncodesigned.SHA256SUMS already exists, or was produced, let's sanity - # check it. - ( cd "$OUTDIR_BASE"; sha256sum -c "$outsigdir"/noncodesigned.SHA256SUMS ) - - # Now produce all.SHA256SUMS manifest - if [ -e "all.SHA256SUMS" ]; then - echo "all.SHA256SUMS already there!" - elif (( ${#codesigned_fragments[@]} )); then - cat "${OUTDIRS[@]}" \ - | sort -u \ - | sort -k2 \ - > all.SHA256SUMS - else - echo "no codesigned outputs found" - fi + temp_codesigned="$(mktemp)" + trap 'rm -rf -- "$temp_codesigned"' EXIT - if [ -e all.SHA256SUMS ]; then - ( cd "$OUTDIR_BASE"; sha256sum -c "$outsigdir"/all.SHA256SUMS ) + if (( ${#codesigned_fragments[@]} )); then + # Note: all.SHA256SUMS attests to all of $sha256sum_fragments, but is + # not needed if there are no $codesigned_fragments + cat "${sha256sum_fragments[@]}" \ + | sort -u \ + | sort -k2 \ + > "$temp_codesigned" + if [ -e codesigned.SHA256SUMS ]; then + # The SHA256SUMS already exists, make sure it's exactly what we + # expect, error out if not + if diff -u all.SHA256SUMS "$temp_codesigned"; then + echo "An all.SHA256SUMS file already exists for '${VERSION}' and is up-to-date." + else + shasum_already_exists all.SHA256SUMS + exit 1 + fi + else + mv "$temp_codesigned" codesigned.SHA256SUMS fi + else + # It is fine to have the codesigned outputs be missing (perhaps the + # detached codesigs have not been published yet), just print a log + # message instead of erroring out + echo "INFO: No codesigned outputs found for '${VERSION}', skipping..." fi - if [ -z "$NO_SIGN" ]; then echo "Signing SHA256SUMS to produce SHA256SUMS.asc" for i in *.SHA256SUMS; do |