Skip to content

Commit d522d80

Browse files
dongcarldongcarl
committed
guix: Attest to inputs in inputs.SHA256SUMS
At build/codesigning-time, hash build inputs and output the digest to ${OUTDIR}/inputs.SHA256SUMS, which gets included in the final SHA256SUMS constructed by guix-attest. Example final SHA256SUMS: ee832d2a35b7701bff581dea05a536118b118e3ad0a587a2855b6ee8cd6fba20 inputs/bitcoin-78199266af7b.tar.gz ca765e70a0c12866dd63c0be228b675278a26329e5f8f5b5c52fd09200fedf21 bitcoin-78199266af7b-powerpc64le-linux-gnu-debug.tar.gz dae95327d7f2c324e2728c4b73627be6cb2c0d2f2e5bea940d1d5e6463939327 bitcoin-78199266af7b-powerpc64le-linux-gnu.tar.gz
1 parent f9e2960 commit d522d80

File tree

2 files changed

+24
-2
lines changed

2 files changed

+24
-2
lines changed

contrib/guix/guix-attest

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -153,10 +153,17 @@ for outdir in "${OUTDIRS[@]}"; do
153153
outdirs_already_attested_to+=("$outdir")
154154
else
155155
mkdir -p "$outsigdir"
156-
echo "${outname}: Hashing build outputs to produce SHA256SUMS"
156+
157157
(
158158
cd "$outdir"
159-
files="$(find . -type f)"
159+
160+
if [ -e inputs.SHA256SUMS ]; then
161+
echo "${outname}: Including existent input SHA256SUMS"
162+
cat inputs.SHA256SUMS >> "$outsigdir"/SHA256SUMS
163+
fi
164+
165+
echo "${outname}: Hashing build outputs to produce SHA256SUMS"
166+
files="$(find -L . -type f ! -iname '*.SHA256SUMS')"
160167
if [ -n "$files" ]; then
161168
cut -c3- <<< "$files" | env LC_ALL=C sort | xargs sha256sum >> "$outsigdir"/SHA256SUMS
162169
else

contrib/guix/libexec/build.sh

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -231,6 +231,21 @@ if [ ! -e "$GIT_ARCHIVE" ]; then
231231
git archive --prefix="${DISTNAME}/" --output="$GIT_ARCHIVE" HEAD
232232
fi
233233

234+
# tmpdir="$(mktemp -d)"
235+
# (
236+
# cd "$tmpdir"
237+
# mkdir -p inputs
238+
# ln -sf --target-directory=inputs "$GIT_ARCHIVE"
239+
240+
# mkdir -p "$OUTDIR"
241+
# find -L inputs -type f -print0 | xargs -0 sha256sum > "${OUTDIR}/inputs.SHA256SUMS"
242+
# )
243+
244+
mkdir -p "$OUTDIR"
245+
cat << EOF > "$OUTDIR"/inputs.SHA256SUMS
246+
$(sha256sum "$GIT_ARCHIVE" | cut -d' ' -f1) inputs/$(basename "$GIT_ARCHIVE")
247+
EOF
248+
234249
###########################
235250
# Binary Tarball Building #
236251
###########################

0 commit comments

Comments
 (0)