guix-attest: Produce and sign normalized documents

dongcarl · dongcarl · commit fcab35b2292f · 2021-07-19T18:24:36.000-04:00
That way we can easily combine the document and detached signature to
produce cleartext signature files for upload during the release process.

See subsequent commits which modify doc/release-process.md for more
details.
diff --git a/contrib/guix/guix-attest b/contrib/guix/guix-attest
@@ -159,6 +159,20 @@ Hint: You may wish to remove the existing attestations and their signatures by
 EOF
 }
 
+# Given a document with unix line endings (just <LF>) in stdin, make all lines
+# end in <CR><LF> and make sure there's no trailing <LF> at the end of the file.
+#
+# This is necessary as cleartext signatures are calculated on text after their
+# line endings are canonicalized.
+#
+# For more information:
+#     1. https://security.stackexchange.com/a/104261
+#     2. https://datatracker.ietf.org/doc/html/rfc4880#section-7.1
+#
+rfc4880_normalize_document() {
+    sed 's/$/\r/' | head -c -2
+}
+
 echo "Attesting to build outputs for version: '${VERSION}'"
 echo ""
 
@@ -174,7 +188,8 @@ mkdir -p "$outsigdir"
         cat "${noncodesigned_fragments[@]}" \
             | sort -u \
             | sort -k2 \
-                   > "$temp_noncodesigned"
+            | rfc4880_normalize_document \
+                > "$temp_noncodesigned"
         if [ -e noncodesigned.SHA256SUMS ]; then
             # The SHA256SUMS already exists, make sure it's exactly what we
             # expect, error out if not
@@ -201,7 +216,9 @@ mkdir -p "$outsigdir"
         cat "${sha256sum_fragments[@]}" \
             | sort -u \
             | sort -k2 \
-                   > "$temp_codesigned"
+            | sed 's/$/\r/' \
+            | rfc4880_normalize_document \
+                > "$temp_codesigned"
         if [ -e codesigned.SHA256SUMS ]; then
             # The SHA256SUMS already exists, make sure it's exactly what we
             # expect, error out if not
@@ -226,6 +243,7 @@ mkdir -p "$outsigdir"
         for i in *.SHA256SUMS; do
             if [ ! -e "$i".asc ]; then
                 gpg --detach-sign \
+                    --digest-algo sha256 \
                     --local-user "$gpg_key_name" \
                     --armor \
                     --output "$i".asc "$i"
