From d522d8006b891eccd7901faf391f9c041ddf8e38 Mon Sep 17 00:00:00 2001 From: Carl Dong Date: Tue, 20 Apr 2021 15:53:08 -0400 Subject: [PATCH] guix: Attest to inputs in inputs.SHA256SUMS At build/codesigning-time, hash build inputs and output the digest to ${OUTDIR}/inputs.SHA256SUMS, which gets included in the final SHA256SUMS constructed by guix-attest. Example final SHA256SUMS: ee832d2a35b7701bff581dea05a536118b118e3ad0a587a2855b6ee8cd6fba20 inputs/bitcoin-78199266af7b.tar.gz ca765e70a0c12866dd63c0be228b675278a26329e5f8f5b5c52fd09200fedf21 bitcoin-78199266af7b-powerpc64le-linux-gnu-debug.tar.gz dae95327d7f2c324e2728c4b73627be6cb2c0d2f2e5bea940d1d5e6463939327 bitcoin-78199266af7b-powerpc64le-linux-gnu.tar.gz --- contrib/guix/guix-attest | 11 +++++++++-- contrib/guix/libexec/build.sh | 15 +++++++++++++++ 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/contrib/guix/guix-attest b/contrib/guix/guix-attest index 6aa6ce4716d..5093dcb69d3 100755 --- a/contrib/guix/guix-attest +++ b/contrib/guix/guix-attest @@ -153,10 +153,17 @@ for outdir in "${OUTDIRS[@]}"; do outdirs_already_attested_to+=("$outdir") else mkdir -p "$outsigdir" - echo "${outname}: Hashing build outputs to produce SHA256SUMS" + ( cd "$outdir" - files="$(find . -type f)" + + if [ -e inputs.SHA256SUMS ]; then + echo "${outname}: Including existent input SHA256SUMS" + cat inputs.SHA256SUMS >> "$outsigdir"/SHA256SUMS + fi + + echo "${outname}: Hashing build outputs to produce SHA256SUMS" + files="$(find -L . -type f ! -iname '*.SHA256SUMS')" if [ -n "$files" ]; then cut -c3- <<< "$files" | env LC_ALL=C sort | xargs sha256sum >> "$outsigdir"/SHA256SUMS else diff --git a/contrib/guix/libexec/build.sh b/contrib/guix/libexec/build.sh index 1bd4fee8841..ce61cd52c7a 100644 --- a/contrib/guix/libexec/build.sh +++ b/contrib/guix/libexec/build.sh @@ -231,6 +231,21 @@ if [ ! -e "$GIT_ARCHIVE" ]; then git archive --prefix="${DISTNAME}/" --output="$GIT_ARCHIVE" HEAD fi +# tmpdir="$(mktemp -d)" +# ( +# cd "$tmpdir" +# mkdir -p inputs +# ln -sf --target-directory=inputs "$GIT_ARCHIVE" + +# mkdir -p "$OUTDIR" +# find -L inputs -type f -print0 | xargs -0 sha256sum > "${OUTDIR}/inputs.SHA256SUMS" +# ) + +mkdir -p "$OUTDIR" +cat << EOF > "$OUTDIR"/inputs.SHA256SUMS +$(sha256sum "$GIT_ARCHIVE" | cut -d' ' -f1) inputs/$(basename "$GIT_ARCHIVE") +EOF + ########################### # Binary Tarball Building # ###########################