From 33455c76964b9e27b33e970d9722cc47657b291b Mon Sep 17 00:00:00 2001 From: Andrew Chow Date: Thu, 22 Jul 2021 17:42:59 -0400 Subject: guix: Make all.SHA256SUMS rather than codesigned.SHA256SUMS --- contrib/guix/guix-attest | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'contrib') diff --git a/contrib/guix/guix-attest b/contrib/guix/guix-attest index 51d589c1de..396cb39895 100755 --- a/contrib/guix/guix-attest +++ b/contrib/guix/guix-attest @@ -207,8 +207,8 @@ mkdir -p "$outsigdir" exit 1 fi - temp_codesigned="$(mktemp)" - trap 'rm -rf -- "$temp_codesigned"' EXIT + temp_all="$(mktemp)" + trap 'rm -rf -- "$temp_all"' EXIT if (( ${#codesigned_fragments[@]} )); then # Note: all.SHA256SUMS attests to all of $sha256sum_fragments, but is @@ -218,18 +218,18 @@ mkdir -p "$outsigdir" | sort -k2 \ | sed 's/$/\r/' \ | rfc4880_normalize_document \ - > "$temp_codesigned" - if [ -e codesigned.SHA256SUMS ]; then + > "$temp_all" + if [ -e all.SHA256SUMS ]; then # The SHA256SUMS already exists, make sure it's exactly what we # expect, error out if not - if diff -u all.SHA256SUMS "$temp_codesigned"; then + if diff -u all.SHA256SUMS "$temp_all"; then echo "An all.SHA256SUMS file already exists for '${VERSION}' and is up-to-date." else shasum_already_exists all.SHA256SUMS exit 1 fi else - mv "$temp_codesigned" codesigned.SHA256SUMS + mv "$temp_all" all.SHA256SUMS fi else # It is fine to have the codesigned outputs be missing (perhaps the -- cgit v1.2.3 From 4a466388a0092fbdf5f8969c6bfb65bf8cc962e1 Mon Sep 17 00:00:00 2001 From: Andrew Chow Date: Thu, 22 Jul 2021 13:25:57 -0400 Subject: guix: Allow changing the base manifest in guix-verify When verifying guix attestations, it is useful to set a particular signer's manifest as the base to compare against. --- contrib/guix/guix-verify | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) (limited to 'contrib') diff --git a/contrib/guix/guix-verify b/contrib/guix/guix-verify index a6e2c4065e..e4863f115b 100755 --- a/contrib/guix/guix-verify +++ b/contrib/guix/guix-verify @@ -28,7 +28,11 @@ cmd_usage() { cat < ./contrib/guix/guix-verify + env GUIX_SIGS_REPO= [ SIGNER= ] ./contrib/guix/guix-verify + +Example overriding signer's manifest to use as base + + env GUIX_SIGS_REPO=/home/dongcarl/guix.sigs SIGNER=achow101 ./contrib/guix/guix-verify EOF } @@ -92,6 +96,17 @@ echo "--------------------" echo "" if (( ${#all_noncodesigned[@]} )); then compare_noncodesigned="${all_noncodesigned[0]}" + if [[ -n "$SIGNER" ]]; then + signer_noncodesigned="$OUTSIGDIR_BASE/$SIGNER/noncodesigned.SHA256SUMS" + if [[ -f "$signer_noncodesigned" ]]; then + echo "Using $SIGNER's manifest as the base to compare against" + compare_noncodesigned="$signer_noncodesigned" + else + echo "Unable to find $SIGNER's manifest, using the first one found" + fi + else + echo "No SIGNER provided, using the first manifest found" + fi for current_manifest in "${all_noncodesigned[@]}"; do verify "$compare_noncodesigned" "$current_manifest" @@ -112,6 +127,17 @@ echo "--------------------" echo "" if (( ${#all_all[@]} )); then compare_all="${all_all[0]}" + if [[ -n "$SIGNER" ]]; then + signer_all="$OUTSIGDIR_BASE/$SIGNER/all.SHA256SUMS" + if [[ -f "$signer_all" ]]; then + echo "Using $SIGNER's manifest as the base to compare against" + compare_all="$signer_all" + else + echo "Unable to find $SIGNER's manifest, using the first one found" + fi + else + echo "No SIGNER provided, using the first manifest found" + fi for current_manifest in "${all_all[@]}"; do verify "$compare_all" "$current_manifest" -- cgit v1.2.3 From 43225f0a2a517ccd79dc49279b979ffd2eca6b85 Mon Sep 17 00:00:00 2001 From: Andrew Chow Date: Thu, 22 Jul 2021 19:10:40 -0400 Subject: guix: Remove extra \r from all.SHA256SUMS line ending guix-attest mistakenly added an extra \r to the line endings in all.SHA256SUMS, causing guix-verify to erroneously fail. Co-Authored-By: Carl Dong --- contrib/guix/guix-attest | 1 - 1 file changed, 1 deletion(-) (limited to 'contrib') diff --git a/contrib/guix/guix-attest b/contrib/guix/guix-attest index 396cb39895..dcf709b542 100755 --- a/contrib/guix/guix-attest +++ b/contrib/guix/guix-attest @@ -216,7 +216,6 @@ mkdir -p "$outsigdir" cat "${sha256sum_fragments[@]}" \ | sort -u \ | sort -k2 \ - | sed 's/$/\r/' \ | rfc4880_normalize_document \ > "$temp_all" if [ -e all.SHA256SUMS ]; then -- cgit v1.2.3 From 9b313dfef18792fcc36e78ef3caa693fafcce04e Mon Sep 17 00:00:00 2001 From: Andrew Chow Date: Fri, 23 Jul 2021 15:15:36 -0400 Subject: guix: Ensure EPOCH_SOURCE_DATE does not include GPG information If the user has set log.showSignature=true in their git config, then the git log will always output GPG signature information. Since git log is used to set EPOCH_SOURCE_DATE, this will mistakenly have GPG signature information in it which causes issues for the build. To avoid this issue, we override the config and force log.showSignature=false. --- contrib/guix/guix-build | 2 +- contrib/guix/guix-codesign | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'contrib') diff --git a/contrib/guix/guix-build b/contrib/guix/guix-build index f6da8435e9..3d9335b4b0 100755 --- a/contrib/guix/guix-build +++ b/contrib/guix/guix-build @@ -232,7 +232,7 @@ host_to_commonname() { } # Determine the reference time used for determinism (overridable by environment) -SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-$(git log --format=%at -1)}" +SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-$(git -c log.showSignature=false log --format=%at -1)}" # Execute "$@" in a pinned, possibly older version of Guix, for reproducibility # across time. diff --git a/contrib/guix/guix-codesign b/contrib/guix/guix-codesign index 11610a92e1..3f464f89e6 100755 --- a/contrib/guix/guix-codesign +++ b/contrib/guix/guix-codesign @@ -220,7 +220,7 @@ fi JOBS="${JOBS:-$(nproc)}" # Determine the reference time used for determinism (overridable by environment) -SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-$(git log --format=%at -1)}" +SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-$(git -c log.showSignature=false log --format=%at -1)}" # Execute "$@" in a pinned, possibly older version of Guix, for reproducibility # across time. -- cgit v1.2.3