_1password-gui: Refactor update.sh to decrease manual work burden (#387535)

Author: khaneliman

pkgs/applications/misc/1password-gui/default.nix

@@ -10,46 +10,11 @@
 
 let
   pname = "1password";
-  version = if channel == "stable" then "8.10.60" else "8.10.68-12.BETA";
 
-  sources = {
-    stable = {
-      x86_64-linux = {
-        url = "https://downloads.1password.com/linux/tar/stable/x86_64/1password-${version}.x64.tar.gz";
-        hash = "sha256-QCoV66LvGo6vA5fjuE3fG+LwehKVMPmgaDghh9YEvmA=";
-      };
-      aarch64-linux = {
-        url = "https://downloads.1password.com/linux/tar/stable/aarch64/1password-${version}.arm64.tar.gz";
-        hash = "sha256-E5TniXur9ATJ3ER/zTFc6EiBrH/kbNvIao0ADLyBZZE=";
-      };
-      x86_64-darwin = {
-        url = "https://downloads.1password.com/mac/1Password-${version}-x86_64.zip";
-        hash = "sha256-2Nv4CHKLgCFbU1TeJQhIq8YdkJSQJXtUw2S17B8cS4s=";
-      };
-      aarch64-darwin = {
-        url = "https://downloads.1password.com/mac/1Password-${version}-aarch64.zip";
-        hash = "sha256-drJiM8EiUM3M54+KPQdLvAmSfBH5YPqQk14yjHzoBtM=";
-      };
-    };
-    beta = {
-      x86_64-linux = {
-        url = "https://downloads.1password.com/linux/tar/beta/x86_64/1password-${version}.x64.tar.gz";
-        hash = "sha256-/0Y1qnCI/gXGKTHk9EIaUVbHTwRkOvwOOiMif6sRkqw=";
-      };
-      aarch64-linux = {
-        url = "https://downloads.1password.com/linux/tar/beta/aarch64/1password-${version}.arm64.tar.gz";
-        hash = "sha256-4J6a10r5n8ffqC5Y2pjO/GJLXY5AQDkQWmFNLYeK/Xw=";
-      };
-      x86_64-darwin = {
-        url = "https://downloads.1password.com/mac/1Password-${version}-x86_64.zip";
-        hash = "sha256-XvflRqqUI59ekuSiQXyACzS94VIrl8wJjemi0xAznZU=";
-      };
-      aarch64-darwin = {
-        url = "https://downloads.1password.com/mac/1Password-${version}-aarch64.zip";
-        hash = "sha256-UErp3pcSXz/C5s3JraLoBN89tL8ghgJ3XLpg7KtU8Sc=";
-      };
-    };
-  };
+  versions = builtins.fromJSON (builtins.readFile ./versions.json);
+  inherit (versions.${channel} or (throw "unknown channel ${channel}")) version;
+
+  sources = builtins.fromJSON (builtins.readFile ./sources.json);
 
   src = fetchurl {
     inherit

pkgs/applications/misc/1password-gui/sources.json

@@ -0,0 +1,38 @@
+{
+  "stable": {
+    "x86_64-linux": {
+      "url": "https://downloads.1password.com/linux/tar/stable/x86_64/1password-8.10.60.x64.tar.gz",
+      "hash": "sha256-QCoV66LvGo6vA5fjuE3fG+LwehKVMPmgaDghh9YEvmA="
+    },
+    "aarch64-linux": {
+      "url": "https://downloads.1password.com/linux/tar/stable/aarch64/1password-8.10.60.arm64.tar.gz",
+      "hash": "sha256-E5TniXur9ATJ3ER/zTFc6EiBrH/kbNvIao0ADLyBZZE="
+    },
+    "x86_64-darwin": {
+      "url": "https://downloads.1password.com/mac/1Password-8.10.60-x86_64.zip",
+      "hash": "sha256-2Nv4CHKLgCFbU1TeJQhIq8YdkJSQJXtUw2S17B8cS4s="
+    },
+    "aarch64-darwin": {
+      "url": "https://downloads.1password.com/mac/1Password-8.10.60-aarch64.zip",
+      "hash": "sha256-drJiM8EiUM3M54+KPQdLvAmSfBH5YPqQk14yjHzoBtM="
+    }
+  },
+  "beta": {
+    "x86_64-linux": {
+      "url": "https://downloads.1password.com/linux/tar/beta/x86_64/1password-8.10.68-12.BETA.x64.tar.gz",
+      "hash": "sha256-/0Y1qnCI/gXGKTHk9EIaUVbHTwRkOvwOOiMif6sRkqw="
+    },
+    "aarch64-linux": {
+      "url": "https://downloads.1password.com/linux/tar/beta/aarch64/1password-8.10.68-12.BETA.arm64.tar.gz",
+      "hash": "sha256-4J6a10r5n8ffqC5Y2pjO/GJLXY5AQDkQWmFNLYeK/Xw="
+    },
+    "x86_64-darwin": {
+      "url": "https://downloads.1password.com/mac/1Password-8.10.68-12.BETA-x86_64.zip",
+      "hash": "sha256-XvflRqqUI59ekuSiQXyACzS94VIrl8wJjemi0xAznZU="
+    },
+    "aarch64-darwin": {
+      "url": "https://downloads.1password.com/mac/1Password-8.10.68-12.BETA-aarch64.zip",
+      "hash": "sha256-UErp3pcSXz/C5s3JraLoBN89tL8ghgJ3XLpg7KtU8Sc="
+    }
+  }
+}

pkgs/applications/misc/1password-gui/update.sh

@@ -1,58 +1,83 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -i bash -p jq
+#!nix-shell -i bash -p jq gnupg
 #shellcheck shell=bash
 
-CURRENT_HASH=""
-
-print_hash() {
-    OS="$1"
-    CHANNEL="$2"
-    ARCH="$3"
-    VERSION="$4"
-
-    if [[ "$OS" == "linux" ]]; then
-        if [[ "$ARCH" == "x86_64" ]]; then
-            EXT="x64.tar.gz"
-        else
-            EXT="arm64.tar.gz"
-        fi
-        URL="https://downloads.1password.com/${OS}/tar/${CHANNEL}/${ARCH}/1password-${VERSION}.${EXT}"
+set -euo pipefail
+
+cd -- "$(dirname "${BASH_SOURCE[0]}")"
+
+mk_url() {
+  local \
+    base_url="https://downloads.1password.com" \
+    os="$1" \
+    channel="$2" \
+    arch="$3" \
+    version="$4"
+
+  if [[ ${os} == "linux" ]]; then
+    if [[ ${arch} == "x86_64" ]]; then
+      ext="x64.tar.gz"
     else
-        EXT="$ARCH.zip"
-        URL="https://downloads.1password.com/${OS}/1Password-${VERSION}-${EXT}"
+      ext="arm64.tar.gz"
     fi
+    url="${base_url}/${os}/tar/${channel}/${arch}/1password-${version}.${ext}"
+  else
+    ext="${arch}.zip"
+    url="${base_url}/mac/1Password-${version}-${ext}"
+  fi
+
+  echo "${url}"
+}
 
-    CURRENT_HASH=$(nix store prefetch-file "$URL" --json | jq -r '.hash')
+cleanup() {
+  if [[ -f ${GPG_KEYRING-} ]]; then
+    rm "${GPG_KEYRING}"
+  fi
 
-    echo "$CHANNEL ${ARCH}-${OS}: $CURRENT_HASH"
+  if [[ -f ${JSON_HEAP-} ]]; then
+    rm "${JSON_HEAP}"
+  fi
 }
 
-if [[ -z "$STABLE_VER" && -n "$1" ]]; then
-    STABLE_VER="$1"
-fi
-
-if [[ -z "$BETA_VER" && -n "$2" ]]; then
-    BETA_VER="$2"
-fi
-
-if [[ "${BETA_VER: -4}" != "BETA" ]]; then
-    BETA_VER="$BETA_VER.BETA"
-fi
-
-if [[ -z "$STABLE_VER" ]]; then
-    echo "No 'STABLE_VER' environment variable provided, skipping"
-else
-    print_hash "linux" "stable" "x86_64" "$STABLE_VER"
-    print_hash "linux" "stable" "aarch64" "$STABLE_VER"
-    print_hash "mac" "stable" "x86_64" "$STABLE_VER"
-    print_hash "mac" "stable" "aarch64" "$STABLE_VER"
-fi
-
-if [[ -z "$BETA_VER" ]]; then
-    echo "No 'BETA_VER' environment variable provided, skipping"
-else
-    print_hash "linux" "beta" "x86_64" "$BETA_VER"
-    print_hash "linux" "beta" "aarch64" "$BETA_VER"
-    print_hash "mac" "beta" "x86_64" "$BETA_VER"
-    print_hash "mac" "beta" "aarch64" "$BETA_VER"
-fi
+trap cleanup EXIT
+
+# Get channel versions from versions.json
+declare -A version=(
+  ["stable"]=$(jq -r '.stable.version' versions.json)
+  ["beta"]=$(jq -r '.beta.version' versions.json)
+)
+
+#
+GPG_KEYRING=$(mktemp -t 1password.kbx.XXXXXX)
+gpg --no-default-keyring --keyring "${GPG_KEYRING}" \
+  --keyserver keyserver.ubuntu.com \
+  --receive-keys 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
+
+JSON_HEAP=$(mktemp -t 1password-gui.jsonheap.XXXXXX)
+for channel in stable beta; do
+  for os in linux darwin; do
+    for arch in x86_64 aarch64; do
+      url=$(mk_url ${os} ${channel} ${arch} "${version[${channel}]}")
+      nix store prefetch-file --json "${url}" | jq "
+        {
+          \"${channel}\": {
+             \"${arch}-${os}\": {
+               \"url\": \"${url}\",
+               \"hash\": .hash,
+               \"storePath\": .storePath
+             }
+           }
+        }" >> "${JSON_HEAP}"
+
+      # For some reason 1Password PGP signs only Linux binaries.
+      if [[ ${os} == "linux" ]]; then
+         gpgv --keyring "${GPG_KEYRING}" \
+           $(nix store prefetch-file --json "${url}.sig" | jq -r .storePath) \
+           $(jq -r --slurp ".[-1].[].[].storePath" "${JSON_HEAP}")
+      fi
+    done
+  done
+done
+
+# Combine heap of hash+url objects into a single JSON object.
+jq --slurp 'reduce .[] as $x ({}; . * $x) | del (.[].[].storePath)' "${JSON_HEAP}" > sources.json

pkgs/applications/misc/1password-gui/versions.json

@@ -0,0 +1,9 @@
+{
+  "stable": {
+    "version": "8.10.60"
+  },
+
+  "beta": {
+    "version": "8.10.68-12.BETA"
+  }
+}