guix: Attest to inputs in inputs.SHA256SUMS

At build/codesigning-time, hash build inputs and output the digest to ${OUTDIR}/inputs.SHA256SUMS, which gets included in the final SHA256SUMS constructed by guix-attest. Example final SHA256SUMS: ee832d2a35b7701bff581dea05a536118b118e3ad0a587a2855b6ee8cd6fba20 inputs/bitcoin-78199266af7b.tar.gz ca765e70a0c12866dd63c0be228b675278a26329e5f8f5b5c52fd09200fedf21 bitcoin-78199266af7b-powerpc64le-linux-gnu-debug.tar.gz dae95327d7f2c324e2728c4b73627be6cb2c0d2f2e5bea940d1d5e6463939327 bitcoin-78199266af7b-powerpc64le-linux-gnu.tar.gz
4 years ago · d522d8006b
parent f9e2960c01
commit d522d8006b
2 changed files with 24 additions and 2 deletions
--- a/contrib/guix/guix-attest
+++ b/contrib/guix/guix-attest
@ -153,10 +153,17 @@ for outdir in "${OUTDIRS[@]}"; do
        outdirs_already_attested_to+=("$outdir")
    else
        mkdir -p "$outsigdir"
-        echo "${outname}: Hashing build outputs to produce SHA256SUMS"
+
        (
            cd "$outdir"
-            files="$(find . -type f)"
+
+            if [ -e inputs.SHA256SUMS ]; then
+                echo "${outname}: Including existent input SHA256SUMS"
+                cat inputs.SHA256SUMS >> "$outsigdir"/SHA256SUMS
+            fi
+
+            echo "${outname}: Hashing build outputs to produce SHA256SUMS"
+            files="$(find -L . -type f ! -iname '*.SHA256SUMS')"
            if [ -n "$files" ]; then
                cut -c3- <<< "$files" | env LC_ALL=C sort | xargs sha256sum >> "$outsigdir"/SHA256SUMS
            else
--- a/contrib/guix/libexec/build.sh
+++ b/contrib/guix/libexec/build.sh
@ -231,6 +231,21 @@ if [ ! -e "$GIT_ARCHIVE" ]; then
    git archive --prefix="${DISTNAME}/" --output="$GIT_ARCHIVE" HEAD
 fi

+# tmpdir="$(mktemp -d)"
+# (
+#     cd "$tmpdir"
+#     mkdir -p inputs
+#     ln -sf --target-directory=inputs "$GIT_ARCHIVE"
+
+#     mkdir -p "$OUTDIR"
+#     find -L inputs -type f -print0 | xargs -0 sha256sum > "${OUTDIR}/inputs.SHA256SUMS"
+# )
+
+mkdir -p "$OUTDIR"
+cat << EOF > "$OUTDIR"/inputs.SHA256SUMS
+$(sha256sum "$GIT_ARCHIVE" | cut -d' ' -f1)  inputs/$(basename "$GIT_ARCHIVE")
+EOF
+
 ###########################
 # Binary Tarball Building #
 ###########################