aboutsummaryrefslogtreecommitdiff
path: root/contrib
diff options
context:
space:
mode:
authorAndrew Chow <achow101-github@achow101.com>2021-07-22 13:25:57 -0400
committerAndrew Chow <achow101-github@achow101.com>2021-07-22 18:48:25 -0400
commit4a466388a0092fbdf5f8969c6bfb65bf8cc962e1 (patch)
treedccfa11c574fc292695df6b38c89cf01682513be /contrib
parent33455c76964b9e27b33e970d9722cc47657b291b (diff)
guix: Allow changing the base manifest in guix-verify
When verifying guix attestations, it is useful to set a particular signer's manifest as the base to compare against.
Diffstat (limited to 'contrib')
-rwxr-xr-xcontrib/guix/guix-verify28
1 files changed, 27 insertions, 1 deletions
diff --git a/contrib/guix/guix-verify b/contrib/guix/guix-verify
index a6e2c4065e..e4863f115b 100755
--- a/contrib/guix/guix-verify
+++ b/contrib/guix/guix-verify
@@ -28,7 +28,11 @@ cmd_usage() {
cat <<EOF
Synopsis:
- env GUIX_SIGS_REPO=<path/to/guix.sigs> ./contrib/guix/guix-verify
+ env GUIX_SIGS_REPO=<path/to/guix.sigs> [ SIGNER=<signer> ] ./contrib/guix/guix-verify
+
+Example overriding signer's manifest to use as base
+
+ env GUIX_SIGS_REPO=/home/dongcarl/guix.sigs SIGNER=achow101 ./contrib/guix/guix-verify
EOF
}
@@ -92,6 +96,17 @@ echo "--------------------"
echo ""
if (( ${#all_noncodesigned[@]} )); then
compare_noncodesigned="${all_noncodesigned[0]}"
+ if [[ -n "$SIGNER" ]]; then
+ signer_noncodesigned="$OUTSIGDIR_BASE/$SIGNER/noncodesigned.SHA256SUMS"
+ if [[ -f "$signer_noncodesigned" ]]; then
+ echo "Using $SIGNER's manifest as the base to compare against"
+ compare_noncodesigned="$signer_noncodesigned"
+ else
+ echo "Unable to find $SIGNER's manifest, using the first one found"
+ fi
+ else
+ echo "No SIGNER provided, using the first manifest found"
+ fi
for current_manifest in "${all_noncodesigned[@]}"; do
verify "$compare_noncodesigned" "$current_manifest"
@@ -112,6 +127,17 @@ echo "--------------------"
echo ""
if (( ${#all_all[@]} )); then
compare_all="${all_all[0]}"
+ if [[ -n "$SIGNER" ]]; then
+ signer_all="$OUTSIGDIR_BASE/$SIGNER/all.SHA256SUMS"
+ if [[ -f "$signer_all" ]]; then
+ echo "Using $SIGNER's manifest as the base to compare against"
+ compare_all="$signer_all"
+ else
+ echo "Unable to find $SIGNER's manifest, using the first one found"
+ fi
+ else
+ echo "No SIGNER provided, using the first manifest found"
+ fi
for current_manifest in "${all_all[@]}"; do
verify "$compare_all" "$current_manifest"