diff options
author | Andrew Chow <achow101-github@achow101.com> | 2021-07-22 13:25:57 -0400 |
---|---|---|
committer | fanquake <fanquake@gmail.com> | 2021-07-29 11:14:54 +0800 |
commit | aa9b6aba0302a3c7345f8e6d73a1868083f87874 (patch) | |
tree | b19b4df685a9285d7a0280e9bcf622e40e6e0352 /contrib | |
parent | 056e47d88748062ef6d4b2f3d3dbf93d9cadca14 (diff) |
guix: Allow changing the base manifest in guix-verify
When verifying guix attestations, it is useful to set a particular
signer's manifest as the base to compare against.
Github-Pull: #22531
Rebased-From: 4a466388a0092fbdf5f8969c6bfb65bf8cc962e1
Diffstat (limited to 'contrib')
-rwxr-xr-x | contrib/guix/guix-verify | 28 |
1 files changed, 27 insertions, 1 deletions
diff --git a/contrib/guix/guix-verify b/contrib/guix/guix-verify index a6e2c4065e..e4863f115b 100755 --- a/contrib/guix/guix-verify +++ b/contrib/guix/guix-verify @@ -28,7 +28,11 @@ cmd_usage() { cat <<EOF Synopsis: - env GUIX_SIGS_REPO=<path/to/guix.sigs> ./contrib/guix/guix-verify + env GUIX_SIGS_REPO=<path/to/guix.sigs> [ SIGNER=<signer> ] ./contrib/guix/guix-verify + +Example overriding signer's manifest to use as base + + env GUIX_SIGS_REPO=/home/dongcarl/guix.sigs SIGNER=achow101 ./contrib/guix/guix-verify EOF } @@ -92,6 +96,17 @@ echo "--------------------" echo "" if (( ${#all_noncodesigned[@]} )); then compare_noncodesigned="${all_noncodesigned[0]}" + if [[ -n "$SIGNER" ]]; then + signer_noncodesigned="$OUTSIGDIR_BASE/$SIGNER/noncodesigned.SHA256SUMS" + if [[ -f "$signer_noncodesigned" ]]; then + echo "Using $SIGNER's manifest as the base to compare against" + compare_noncodesigned="$signer_noncodesigned" + else + echo "Unable to find $SIGNER's manifest, using the first one found" + fi + else + echo "No SIGNER provided, using the first manifest found" + fi for current_manifest in "${all_noncodesigned[@]}"; do verify "$compare_noncodesigned" "$current_manifest" @@ -112,6 +127,17 @@ echo "--------------------" echo "" if (( ${#all_all[@]} )); then compare_all="${all_all[0]}" + if [[ -n "$SIGNER" ]]; then + signer_all="$OUTSIGDIR_BASE/$SIGNER/all.SHA256SUMS" + if [[ -f "$signer_all" ]]; then + echo "Using $SIGNER's manifest as the base to compare against" + compare_all="$signer_all" + else + echo "Unable to find $SIGNER's manifest, using the first one found" + fi + else + echo "No SIGNER provided, using the first manifest found" + fi for current_manifest in "${all_all[@]}"; do verify "$compare_all" "$current_manifest" |