guix: Attest to inputs in inputs.SHA256SUMS

At build/codesigning-time, hash build inputs and output the digest to
${OUTDIR}/inputs.SHA256SUMS, which gets included in the final SHA256SUMS
constructed by guix-attest.

Example final SHA256SUMS:
ee832d2a35b7701bff581dea05a536118b118e3ad0a587a2855b6ee8cd6fba20  inputs/bitcoin-78199266af7b.tar.gz
ca765e70a0c12866dd63c0be228b675278a26329e5f8f5b5c52fd09200fedf21  bitcoin-78199266af7b-powerpc64le-linux-gnu-debug.tar.gz
dae95327d7f2c324e2728c4b73627be6cb2c0d2f2e5bea940d1d5e6463939327  bitcoin-78199266af7b-powerpc64le-linux-gnu.tar.gz

1 files changed, 9 insertions, 2 deletions

diff --git a/contrib/guix/guix-attest b/contrib/guix/guix-attest
index 6aa6ce4716..5093dcb69d 100755
--- a/contrib/guix/guix-attest
+++ b/contrib/guix/guix-attest
@@ -153,10 +153,17 @@ for outdir in "${OUTDIRS[@]}"; do
         outdirs_already_attested_to+=("$outdir")
     else
         mkdir -p "$outsigdir"
-        echo "${outname}: Hashing build outputs to produce SHA256SUMS"
+
         (
             cd "$outdir"
-            files="$(find . -type f)"
+
+            if [ -e inputs.SHA256SUMS ]; then
+                echo "${outname}: Including existent input SHA256SUMS"
+                cat inputs.SHA256SUMS >> "$outsigdir"/SHA256SUMS
+            fi
+
+            echo "${outname}: Hashing build outputs to produce SHA256SUMS"
+            files="$(find -L . -type f ! -iname '*.SHA256SUMS')"
             if [ -n "$files" ]; then
                 cut -c3- <<< "$files" | env LC_ALL=C sort | xargs sha256sum >> "$outsigdir"/SHA256SUMS
             else