diff options
| author | fanquake <fanquake@gmail.com> | 2021-07-29 11:11:55 +0800 |
|---|---|---|
| committer | fanquake <fanquake@gmail.com> | 2021-07-29 11:13:12 +0800 |
| commit | 8f76f9f61334df2ee5798d661c30f11d5abe8254 (patch) | |
| tree | 91fa43425e647662d53228650b4448b5e62a21c6 /contrib/guix/guix-attest | |
| parent | be92dc5876969da29a44e1360255f171734901d7 (diff) | |
| parent | 9b313dfef18792fcc36e78ef3caa693fafcce04e (diff) | |
Merge bitcoin/bitcoin#22531: guix: Fixes to guix-{attest,verify}
9b313dfef18792fcc36e78ef3caa693fafcce04e guix: Ensure EPOCH_SOURCE_DATE does not include GPG information (Andrew Chow)
43225f0a2a517ccd79dc49279b979ffd2eca6b85 guix: Remove extra \r from all.SHA256SUMS line ending (Andrew Chow)
d080c27066449f76bc8709fc50e422757971d2cf guix, doc: Add a note that codesigners need to rebuild after tagging (Andrew Chow)
4a466388a0092fbdf5f8969c6bfb65bf8cc962e1 guix: Allow changing the base manifest in guix-verify (Andrew Chow)
33455c76964b9e27b33e970d9722cc47657b291b guix: Make all.SHA256SUMS rather than codesigned.SHA256SUMS (Andrew Chow)
Pull request description:
`guix-verify` expects `all.SHA256SUMS` but `guix-attest` produces `codesigned.SHA256SUMS`. Since `all.SHA256SUMS` makes more sense (as the file contains all the sha256sums, not just the codesigned ones), `guix-attest` has been changed to output a file of that name.
As a quality of life improvement, `guix-verify` can take `SIGNER` and use the signer's manifest as the base to compare against. This makes it easier to compare a single person's attestations with everyone else's and can make it more obvious when one builder is clearly mismatching with everyone else.
Lastly `release-process.md` is updated with a note about a gotcha that can cause a mismatch in the codesigned attestation.
ACKs for top commit:
fanquake:
ACK 9b313dfef18792fcc36e78ef3caa693fafcce04e
Tree-SHA512: 0d60627def38288dbd3059ad1e72cad224f9205da11b1a561c082ef28250a074df5cc5f2797c91a7be027bc486a3fda3319c2e496a8724e5b539337236c6f990
Diffstat (limited to 'contrib/guix/guix-attest')
| -rwxr-xr-x | contrib/guix/guix-attest | 13 |
1 files changed, 6 insertions, 7 deletions
diff --git a/contrib/guix/guix-attest b/contrib/guix/guix-attest index 51d589c1de..dcf709b542 100755 --- a/contrib/guix/guix-attest +++ b/contrib/guix/guix-attest @@ -207,8 +207,8 @@ mkdir -p "$outsigdir" exit 1 fi - temp_codesigned="$(mktemp)" - trap 'rm -rf -- "$temp_codesigned"' EXIT + temp_all="$(mktemp)" + trap 'rm -rf -- "$temp_all"' EXIT if (( ${#codesigned_fragments[@]} )); then # Note: all.SHA256SUMS attests to all of $sha256sum_fragments, but is @@ -216,20 +216,19 @@ mkdir -p "$outsigdir" cat "${sha256sum_fragments[@]}" \ | sort -u \ | sort -k2 \ - | sed 's/$/\r/' \ | rfc4880_normalize_document \ - > "$temp_codesigned" - if [ -e codesigned.SHA256SUMS ]; then + > "$temp_all" + if [ -e all.SHA256SUMS ]; then # The SHA256SUMS already exists, make sure it's exactly what we # expect, error out if not - if diff -u all.SHA256SUMS "$temp_codesigned"; then + if diff -u all.SHA256SUMS "$temp_all"; then echo "An all.SHA256SUMS file already exists for '${VERSION}' and is up-to-date." else shasum_already_exists all.SHA256SUMS exit 1 fi else - mv "$temp_codesigned" codesigned.SHA256SUMS + mv "$temp_all" all.SHA256SUMS fi else # It is fine to have the codesigned outputs be missing (perhaps the |