guix: Attest to inputs in inputs.SHA256SUMS

At build/codesigning-time, hash build inputs and output the digest to
${OUTDIR}/inputs.SHA256SUMS, which gets included in the final SHA256SUMS
constructed by guix-attest.

Example final SHA256SUMS:
ee832d2a35b7701bff581dea05a536118b118e3ad0a587a2855b6ee8cd6fba20  inputs/bitcoin-78199266af7b.tar.gz
ca765e70a0c12866dd63c0be228b675278a26329e5f8f5b5c52fd09200fedf21  bitcoin-78199266af7b-powerpc64le-linux-gnu-debug.tar.gz
dae95327d7f2c324e2728c4b73627be6cb2c0d2f2e5bea940d1d5e6463939327  bitcoin-78199266af7b-powerpc64le-linux-gnu.tar.gz

1 files changed, 15 insertions, 0 deletions

diff --git a/contrib/guix/libexec/build.sh b/contrib/guix/libexec/build.sh
index 1bd4fee884..ce61cd52c7 100644
--- a/contrib/guix/libexec/build.sh
+++ b/contrib/guix/libexec/build.sh
@@ -231,6 +231,21 @@ if [ ! -e "$GIT_ARCHIVE" ]; then
     git archive --prefix="${DISTNAME}/" --output="$GIT_ARCHIVE" HEAD
 fi
 
+# tmpdir="$(mktemp -d)"
+# (
+#     cd "$tmpdir"
+#     mkdir -p inputs
+#     ln -sf --target-directory=inputs "$GIT_ARCHIVE"
+
+#     mkdir -p "$OUTDIR"
+#     find -L inputs -type f -print0 | xargs -0 sha256sum > "${OUTDIR}/inputs.SHA256SUMS"
+# )
+
+mkdir -p "$OUTDIR"
+cat << EOF > "$OUTDIR"/inputs.SHA256SUMS
+$(sha256sum "$GIT_ARCHIVE" | cut -d' ' -f1)  inputs/$(basename "$GIT_ARCHIVE")
+EOF
+
 ###########################
 # Binary Tarball Building #
 ###########################