aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCarl Dong <contact@carldong.me>2021-06-14 17:00:26 -0400
committerCarl Dong <contact@carldong.me>2021-06-14 17:05:26 -0400
commite2c40a4ed5272d72fea997bd936fba28bb753226 (patch)
tree0d763e29f29b984a8b203be7d64592f7afd1aa36
parent4cc35daed557f38b080360a89036b2e97a6f78c2 (diff)
guix-attest: Error out if SHA256SUMS is unexpected
-rwxr-xr-xcontrib/guix/guix-attest94
1 files changed, 67 insertions, 27 deletions
diff --git a/contrib/guix/guix-attest b/contrib/guix/guix-attest
index 7757d4bd28..c8cf73d400 100755
--- a/contrib/guix/guix-attest
+++ b/contrib/guix/guix-attest
@@ -102,15 +102,15 @@ fi
echo "Looking for build output SHA256SUMS fragments in ${OUTDIR_BASE}"
shopt -s nullglob
-OUTDIRS=( "$OUTDIR_BASE"/*/SHA256SUMS.part ) # This expands to an array of directories...
+sha256sum_fragments=( "$OUTDIR_BASE"/*/SHA256SUMS.part ) # This expands to an array of directories...
shopt -u nullglob
noncodesigned_fragments=()
codesigned_fragments=()
-if (( ${#OUTDIRS[@]} )); then
+if (( ${#sha256sum_fragments[@]} )); then
echo "Found build output SHA256SUMS fragments:"
- for outdir in "${OUTDIRS[@]}"; do
+ for outdir in "${sha256sum_fragments[@]}"; do
echo " '$outdir'"
case "$outdir" in
"$OUTDIR_BASE"/*-codesigned/SHA256SUMS.part)
@@ -139,6 +139,26 @@ out_name() {
basename "$(dirname "$1")"
}
+shasum_already_exists() {
+cat <<EOF
+--
+
+ERR: An ${1} file already exists for '${VERSION}' and attests
+ differently. You likely previously attested to a partial build (e.g. one
+ where you specified the HOST environment variable).
+
+ See the diff above for more context.
+
+Hint: You may wish to remove the existing attestations and their signatures by
+ invoking:
+
+ rm '${PWD}/${1}'{,.asc}
+
+ Then try running this script again.
+
+EOF
+}
+
echo "Attesting to build outputs for version: '${VERSION}'"
echo ""
@@ -147,40 +167,60 @@ mkdir -p "$outsigdir"
(
cd "$outsigdir"
- if [ -e "noncodesigned.SHA256SUMS" ]; then
- echo "noncodesigned.SHA256SUMS already exists, using..."
- elif (( ${#noncodesigned_fragments[@]} )); then
+ temp_noncodesigned="$(mktemp)"
+ trap 'rm -rf -- "$temp_noncodesigned"' EXIT
+
+ if (( ${#noncodesigned_fragments[@]} )); then
cat "${noncodesigned_fragments[@]}" \
| sort -u \
| sort -k2 \
- > noncodesigned.SHA256SUMS
+ > "$temp_noncodesigned"
+ if [ -e noncodesigned.SHA256SUMS ]; then
+ # The SHA256SUMS already exists, make sure it's exactly what we
+ # expect, error out if not
+ if diff -u noncodesigned.SHA256SUMS "$temp_noncodesigned"; then
+ echo "A noncodesigned.SHA256SUMS file already exists for '${VERSION}' and is up-to-date."
+ else
+ shasum_already_exists noncodesigned.SHA256SUMS
+ exit 1
+ fi
+ else
+ mv "$temp_noncodesigned" noncodesigned.SHA256SUMS
+ fi
else
- echo "no noncodesigned outputs found"
+ echo "ERR: No noncodesigned outputs found for '${VERSION}', exiting..."
+ exit 1
fi
- if [ -e noncodesigned.SHA256SUMS ]; then
- # noncodesigned.SHA256SUMS already exists, or was produced, let's sanity
- # check it.
- ( cd "$OUTDIR_BASE"; sha256sum -c "$outsigdir"/noncodesigned.SHA256SUMS )
-
- # Now produce all.SHA256SUMS manifest
- if [ -e "all.SHA256SUMS" ]; then
- echo "all.SHA256SUMS already there!"
- elif (( ${#codesigned_fragments[@]} )); then
- cat "${OUTDIRS[@]}" \
- | sort -u \
- | sort -k2 \
- > all.SHA256SUMS
- else
- echo "no codesigned outputs found"
- fi
+ temp_codesigned="$(mktemp)"
+ trap 'rm -rf -- "$temp_codesigned"' EXIT
- if [ -e all.SHA256SUMS ]; then
- ( cd "$OUTDIR_BASE"; sha256sum -c "$outsigdir"/all.SHA256SUMS )
+ if (( ${#codesigned_fragments[@]} )); then
+ # Note: all.SHA256SUMS attests to all of $sha256sum_fragments, but is
+ # not needed if there are no $codesigned_fragments
+ cat "${sha256sum_fragments[@]}" \
+ | sort -u \
+ | sort -k2 \
+ > "$temp_codesigned"
+ if [ -e codesigned.SHA256SUMS ]; then
+ # The SHA256SUMS already exists, make sure it's exactly what we
+ # expect, error out if not
+ if diff -u all.SHA256SUMS "$temp_codesigned"; then
+ echo "An all.SHA256SUMS file already exists for '${VERSION}' and is up-to-date."
+ else
+ shasum_already_exists all.SHA256SUMS
+ exit 1
+ fi
+ else
+ mv "$temp_codesigned" codesigned.SHA256SUMS
fi
+ else
+ # It is fine to have the codesigned outputs be missing (perhaps the
+ # detached codesigs have not been published yet), just print a log
+ # message instead of erroring out
+ echo "INFO: No codesigned outputs found for '${VERSION}', skipping..."
fi
-
if [ -z "$NO_SIGN" ]; then
echo "Signing SHA256SUMS to produce SHA256SUMS.asc"
for i in *.SHA256SUMS; do