diff options
| author | Carl Dong <contact@carldong.me> | 2021-04-20 15:53:08 -0400 |
|---|---|---|
| committer | Carl Dong <contact@carldong.me> | 2021-05-03 13:18:19 -0400 |
| commit | d522d8006b891eccd7901faf391f9c041ddf8e38 (patch) | |
| tree | 6196e4a8400167e71b5570fb7b4aa17d5b1f4bc8 /contrib/guix | |
| parent | f9e2960c018103be756a7f8a506816b49d662514 (diff) | |
| download | bitcoin-d522d8006b891eccd7901faf391f9c041ddf8e38.tar.xz | |
guix: Attest to inputs in inputs.SHA256SUMS
At build/codesigning-time, hash build inputs and output the digest to
${OUTDIR}/inputs.SHA256SUMS, which gets included in the final SHA256SUMS
constructed by guix-attest.
Example final SHA256SUMS:
ee832d2a35b7701bff581dea05a536118b118e3ad0a587a2855b6ee8cd6fba20 inputs/bitcoin-78199266af7b.tar.gz
ca765e70a0c12866dd63c0be228b675278a26329e5f8f5b5c52fd09200fedf21 bitcoin-78199266af7b-powerpc64le-linux-gnu-debug.tar.gz
dae95327d7f2c324e2728c4b73627be6cb2c0d2f2e5bea940d1d5e6463939327 bitcoin-78199266af7b-powerpc64le-linux-gnu.tar.gz
Diffstat (limited to 'contrib/guix')
| -rwxr-xr-x | contrib/guix/guix-attest | 11 | ||||
| -rw-r--r-- | contrib/guix/libexec/build.sh | 15 |
2 files changed, 24 insertions, 2 deletions
diff --git a/contrib/guix/guix-attest b/contrib/guix/guix-attest index 6aa6ce4716..5093dcb69d 100755 --- a/contrib/guix/guix-attest +++ b/contrib/guix/guix-attest @@ -153,10 +153,17 @@ for outdir in "${OUTDIRS[@]}"; do outdirs_already_attested_to+=("$outdir") else mkdir -p "$outsigdir" - echo "${outname}: Hashing build outputs to produce SHA256SUMS" + ( cd "$outdir" - files="$(find . -type f)" + + if [ -e inputs.SHA256SUMS ]; then + echo "${outname}: Including existent input SHA256SUMS" + cat inputs.SHA256SUMS >> "$outsigdir"/SHA256SUMS + fi + + echo "${outname}: Hashing build outputs to produce SHA256SUMS" + files="$(find -L . -type f ! -iname '*.SHA256SUMS')" if [ -n "$files" ]; then cut -c3- <<< "$files" | env LC_ALL=C sort | xargs sha256sum >> "$outsigdir"/SHA256SUMS else diff --git a/contrib/guix/libexec/build.sh b/contrib/guix/libexec/build.sh index 1bd4fee884..ce61cd52c7 100644 --- a/contrib/guix/libexec/build.sh +++ b/contrib/guix/libexec/build.sh @@ -231,6 +231,21 @@ if [ ! -e "$GIT_ARCHIVE" ]; then git archive --prefix="${DISTNAME}/" --output="$GIT_ARCHIVE" HEAD fi +# tmpdir="$(mktemp -d)" +# ( +# cd "$tmpdir" +# mkdir -p inputs +# ln -sf --target-directory=inputs "$GIT_ARCHIVE" + +# mkdir -p "$OUTDIR" +# find -L inputs -type f -print0 | xargs -0 sha256sum > "${OUTDIR}/inputs.SHA256SUMS" +# ) + +mkdir -p "$OUTDIR" +cat << EOF > "$OUTDIR"/inputs.SHA256SUMS +$(sha256sum "$GIT_ARCHIVE" | cut -d' ' -f1) inputs/$(basename "$GIT_ARCHIVE") +EOF + ########################### # Binary Tarball Building # ########################### |