diff options
| -rwxr-xr-x | contrib/guix/guix-attest | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/contrib/guix/guix-attest b/contrib/guix/guix-attest index e396d3e98e..51d589c1de 100755 --- a/contrib/guix/guix-attest +++ b/contrib/guix/guix-attest @@ -159,6 +159,20 @@ Hint: You may wish to remove the existing attestations and their signatures by EOF } +# Given a document with unix line endings (just <LF>) in stdin, make all lines +# end in <CR><LF> and make sure there's no trailing <LF> at the end of the file. +# +# This is necessary as cleartext signatures are calculated on text after their +# line endings are canonicalized. +# +# For more information: +# 1. https://security.stackexchange.com/a/104261 +# 2. https://datatracker.ietf.org/doc/html/rfc4880#section-7.1 +# +rfc4880_normalize_document() { + sed 's/$/\r/' | head -c -2 +} + echo "Attesting to build outputs for version: '${VERSION}'" echo "" @@ -174,7 +188,8 @@ mkdir -p "$outsigdir" cat "${noncodesigned_fragments[@]}" \ | sort -u \ | sort -k2 \ - > "$temp_noncodesigned" + | rfc4880_normalize_document \ + > "$temp_noncodesigned" if [ -e noncodesigned.SHA256SUMS ]; then # The SHA256SUMS already exists, make sure it's exactly what we # expect, error out if not @@ -201,7 +216,9 @@ mkdir -p "$outsigdir" cat "${sha256sum_fragments[@]}" \ | sort -u \ | sort -k2 \ - > "$temp_codesigned" + | sed 's/$/\r/' \ + | rfc4880_normalize_document \ + > "$temp_codesigned" if [ -e codesigned.SHA256SUMS ]; then # The SHA256SUMS already exists, make sure it's exactly what we # expect, error out if not @@ -226,6 +243,7 @@ mkdir -p "$outsigdir" for i in *.SHA256SUMS; do if [ ! -e "$i".asc ]; then gpg --detach-sign \ + --digest-algo sha256 \ --local-user "$gpg_key_name" \ --armor \ --output "$i".asc "$i" |