guix-attest: Error out if SHA256SUMS is unexpected

dongcarl · dongcarl · commit e2c40a4ed527 · 2021-06-14T17:05:26.000-04:00
diff --git a/contrib/guix/guix-attest b/contrib/guix/guix-attest
@@ -102,15 +102,15 @@ fi
 echo "Looking for build output SHA256SUMS fragments in ${OUTDIR_BASE}"
 
 shopt -s nullglob
-OUTDIRS=( "$OUTDIR_BASE"/*/SHA256SUMS.part ) # This expands to an array of directories...
+sha256sum_fragments=( "$OUTDIR_BASE"/*/SHA256SUMS.part ) # This expands to an array of directories...
 shopt -u nullglob
 
 noncodesigned_fragments=()
 codesigned_fragments=()
 
-if (( ${#OUTDIRS[@]} )); then
+if (( ${#sha256sum_fragments[@]} )); then
     echo "Found build output SHA256SUMS fragments:"
-    for outdir in "${OUTDIRS[@]}"; do
+    for outdir in "${sha256sum_fragments[@]}"; do
         echo "    '$outdir'"
         case "$outdir" in
             "$OUTDIR_BASE"/*-codesigned/SHA256SUMS.part)
@@ -139,6 +139,26 @@ out_name() {
     basename "$(dirname "$1")"
 }
 
+shasum_already_exists() {
+cat <<EOF
+--
+
+ERR: An ${1} file already exists for '${VERSION}' and attests
+     differently. You likely previously attested to a partial build (e.g. one
+     where you specified the HOST environment variable).
+
+     See the diff above for more context.
+
+Hint: You may wish to remove the existing attestations and their signatures by
+      invoking:
+
+          rm '${PWD}/${1}'{,.asc}
+
+      Then try running this script again.
+
+EOF
+}
+
 echo "Attesting to build outputs for version: '${VERSION}'"
 echo ""
 
@@ -147,40 +167,60 @@ mkdir -p "$outsigdir"
 (
     cd "$outsigdir"
 
-    if [ -e "noncodesigned.SHA256SUMS" ]; then
-        echo "noncodesigned.SHA256SUMS already exists, using..."
-    elif (( ${#noncodesigned_fragments[@]} )); then
+    temp_noncodesigned="$(mktemp)"
+    trap 'rm -rf -- "$temp_noncodesigned"' EXIT
+
+    if (( ${#noncodesigned_fragments[@]} )); then
         cat "${noncodesigned_fragments[@]}" \
             | sort -u \
             | sort -k2 \
-                   > noncodesigned.SHA256SUMS
+                   > "$temp_noncodesigned"
+        if [ -e noncodesigned.SHA256SUMS ]; then
+            # The SHA256SUMS already exists, make sure it's exactly what we
+            # expect, error out if not
+            if diff -u noncodesigned.SHA256SUMS "$temp_noncodesigned"; then
+                echo "A noncodesigned.SHA256SUMS file already exists for '${VERSION}' and is up-to-date."
+            else
+                shasum_already_exists noncodesigned.SHA256SUMS
+                exit 1
+            fi
+        else
+            mv "$temp_noncodesigned" noncodesigned.SHA256SUMS
+        fi
     else
-        echo "no noncodesigned outputs found"
+        echo "ERR: No noncodesigned outputs found for '${VERSION}', exiting..."
+        exit 1
     fi
 
-    if [ -e noncodesigned.SHA256SUMS ]; then
-        # noncodesigned.SHA256SUMS already exists, or was produced, let's sanity
-        # check it.
-        ( cd "$OUTDIR_BASE"; sha256sum -c "$outsigdir"/noncodesigned.SHA256SUMS )
-
-        # Now produce all.SHA256SUMS manifest
-        if [ -e "all.SHA256SUMS" ]; then
-            echo "all.SHA256SUMS already there!"
-        elif (( ${#codesigned_fragments[@]} )); then
-            cat "${OUTDIRS[@]}" \
-                | sort -u \
-                | sort -k2 \
-                       > all.SHA256SUMS
-        else
-            echo "no codesigned outputs found"
-        fi
+    temp_codesigned="$(mktemp)"
+    trap 'rm -rf -- "$temp_codesigned"' EXIT
 
-        if [ -e all.SHA256SUMS ]; then
-            ( cd "$OUTDIR_BASE"; sha256sum -c "$outsigdir"/all.SHA256SUMS )
+    if (( ${#codesigned_fragments[@]} )); then
+        # Note: all.SHA256SUMS attests to all of $sha256sum_fragments, but is
+        #       not needed if there are no $codesigned_fragments
+        cat "${sha256sum_fragments[@]}" \
+            | sort -u \
+            | sort -k2 \
+                   > "$temp_codesigned"
+        if [ -e codesigned.SHA256SUMS ]; then
+            # The SHA256SUMS already exists, make sure it's exactly what we
+            # expect, error out if not
+            if diff -u all.SHA256SUMS "$temp_codesigned"; then
+                echo "An all.SHA256SUMS file already exists for '${VERSION}' and is up-to-date."
+            else
+                shasum_already_exists all.SHA256SUMS
+                exit 1
+            fi
+        else
+            mv "$temp_codesigned" codesigned.SHA256SUMS
         fi
+    else
+        # It is fine to have the codesigned outputs be missing (perhaps the
+        # detached codesigs have not been published yet), just print a log
+        # message instead of erroring out
+        echo "INFO: No codesigned outputs found for '${VERSION}', skipping..."
     fi
 
-
     if [ -z "$NO_SIGN" ]; then
         echo "Signing SHA256SUMS to produce SHA256SUMS.asc"
         for i in *.SHA256SUMS; do
