guix: Fixes to guix-{attest,verify} #22531
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Needs backport to 22.0 |
|
Thanks, just pushed up a branch that did what the first commit did but saw this more extensive one. I'd like to use |
|
I've changed it to make |
achow101
changed the title
dongcarl
reviewed
Jul 22, 2021
When verifying guix attestations, it is useful to set a particular signer's manifest as the base to compare against.
|
@dongcarl has informed me that replacing |
Here's the actual fix: diff --git a/contrib/guix/guix-attest b/contrib/guix/guix-attest
index 51d589c1de..0270fcc50e 100755
--- a/contrib/guix/guix-attest
+++ b/contrib/guix/guix-attest
@@ -216,7 +216,6 @@ mkdir -p "$outsigdir"
cat "${sha256sum_fragments[@]}" \
| sort -u \
| sort -k2 \
- | sed 's/$/\r/' \
| rfc4880_normalize_document \
> "$temp_codesigned"
if [ -e codesigned.SHA256SUMS ]; then |
|
Added the fix in another commit. |
|
I've added an additional commit to resolve an issue where having |
|
Guix builds: 34fc2aa86fae587f58a5438533bd0288b302b32d1aaca5a00091e8f5a619b705 guix-build-3411491d0f99/output/aarch64-linux-gnu/SHA256SUMS.part
04f772df30f304e3a41431ae9cc51b86330bf7be0d53a7a96f710a1b63b0f51e guix-build-3411491d0f99/output/aarch64-linux-gnu/bitcoin-3411491d0f99-aarch64-linux-gnu-debug.tar.gz
6269f1978c585cee048e5f419aa435d0ac825f2b80752595cf6011bf94d94fe6 guix-build-3411491d0f99/output/aarch64-linux-gnu/bitcoin-3411491d0f99-aarch64-linux-gnu.tar.gz
7d6f22d6e8bd5a16e1e0ca29ea24cf5e1dfc633e9282b45619b10b0e10cfc02c guix-build-3411491d0f99/output/arm-linux-gnueabihf/SHA256SUMS.part
ac9759700084267b818914a74dc26dc305ebfe780d7ab725f34a1046a40b0d22 guix-build-3411491d0f99/output/arm-linux-gnueabihf/bitcoin-3411491d0f99-arm-linux-gnueabihf-debug.tar.gz
f7808dc0aab7525b16264033456507dd1ee82498328a91bb10656c9948cd331e guix-build-3411491d0f99/output/arm-linux-gnueabihf/bitcoin-3411491d0f99-arm-linux-gnueabihf.tar.gz
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 guix-build-3411491d0f99/output/dist-archive/SKIPATTEST.TAG
9b19a663259093234ad9c68c20e99b7544226bb3c76c625518b6b99e0aa20f7d guix-build-3411491d0f99/output/dist-archive/bitcoin-3411491d0f99.tar.gz
801247480ab2edd79724330148c30116fcbe6b62b22ff63da45d991e7fbc41df guix-build-3411491d0f99/output/powerpc64-linux-gnu/SHA256SUMS.part
e62ec0522847db648cdfab3cf1b11d6a4730a5bf5526d4e80beca28b5ee59e76 guix-build-3411491d0f99/output/powerpc64-linux-gnu/bitcoin-3411491d0f99-powerpc64-linux-gnu-debug.tar.gz
0949f868050a23c4dfe1a1ec8743a09264bfa9062225905de0aa705ec55d6447 guix-build-3411491d0f99/output/powerpc64-linux-gnu/bitcoin-3411491d0f99-powerpc64-linux-gnu.tar.gz
4b964c9d39e2a75773775425bfa56ef8de443cf64f539c41ee749d61ff7c23f8 guix-build-3411491d0f99/output/powerpc64le-linux-gnu/SHA256SUMS.part
7a36a5eb774aeca41c3b82dbf0b6d7a26ca98ede6eefac6ae3ae6ee86a34a451 guix-build-3411491d0f99/output/powerpc64le-linux-gnu/bitcoin-3411491d0f99-powerpc64le-linux-gnu-debug.tar.gz
72658040558c21f1ab6f4d955d7e93c5de088ae5280ba05697f253b69d370900 guix-build-3411491d0f99/output/powerpc64le-linux-gnu/bitcoin-3411491d0f99-powerpc64le-linux-gnu.tar.gz
79a23110848aaa3617e1cee8cfeb6792cb0bb854406a2c5195049a64e0bab679 guix-build-3411491d0f99/output/riscv64-linux-gnu/SHA256SUMS.part
ad266b7f8dc9748912414b21f68bfd047fb6cb662013287666043ff57d55499f guix-build-3411491d0f99/output/riscv64-linux-gnu/bitcoin-3411491d0f99-riscv64-linux-gnu-debug.tar.gz
e93a5d648f1db2f61a1c279ed304442b2f23b1449a81e43e7e7b788a467a5914 guix-build-3411491d0f99/output/riscv64-linux-gnu/bitcoin-3411491d0f99-riscv64-linux-gnu.tar.gz
9f654aa209f24cf2f40de2c3091f1b64745dec442a9f0f8d5c63b58931e52cca guix-build-3411491d0f99/output/x86_64-apple-darwin18/SHA256SUMS.part
b24ddfd85daa210dadb940c7d54a9f1915022a3f65a81c07a149b962823f9441 guix-build-3411491d0f99/output/x86_64-apple-darwin18/bitcoin-3411491d0f99-osx-unsigned.dmg
b8a5efe0cc08744c4ad42cb7dd75e81b4e0c341e474c54da2cc8e4726f510ba4 guix-build-3411491d0f99/output/x86_64-apple-darwin18/bitcoin-3411491d0f99-osx-unsigned.tar.gz
834f2553f85e3ba1b6c90cf37e8b50ec88527c26583d7e6ce7aa1a817c5dbe54 guix-build-3411491d0f99/output/x86_64-apple-darwin18/bitcoin-3411491d0f99-osx64.tar.gz
5f2c6c3034bb16271629e2896c61c94f623f9d27cae7928669a0273f6a8822cc guix-build-3411491d0f99/output/x86_64-linux-gnu/SHA256SUMS.part
9b288d445a27033134f54ae552ede420aa2095d579e78ec7b97455545a53fd25 guix-build-3411491d0f99/output/x86_64-linux-gnu/bitcoin-3411491d0f99-x86_64-linux-gnu-debug.tar.gz
6c63128c8658e28d2dec98c9d3553127f1b060f84c2dd40d5a434cf7ec3fecba guix-build-3411491d0f99/output/x86_64-linux-gnu/bitcoin-3411491d0f99-x86_64-linux-gnu.tar.gz
54283ef979293c66f742eb2778d47a4ad95c0ffebfef5b95a8149e692fb9d7c9 guix-build-3411491d0f99/output/x86_64-w64-mingw32/SHA256SUMS.part
0dcdf046ab7a7139f2d1b49e2138a3f4492f07599ab0c8b33be702c1cec9cf4b guix-build-3411491d0f99/output/x86_64-w64-mingw32/bitcoin-3411491d0f99-win-unsigned.tar.gz
001a402cd2a02c8a263f83b70d8aaf2d43c5d05bcde50e820159f5d6ba765a70 guix-build-3411491d0f99/output/x86_64-w64-mingw32/bitcoin-3411491d0f99-win64-debug.zip
a806fed96264625f30fb1c28ee3899fa9f40b6e68f8e921726af9968000a6931 guix-build-3411491d0f99/output/x86_64-w64-mingw32/bitcoin-3411491d0f99-win64-setup-unsigned.exe
d19a45362cc4ae07bc93e6f04ac9032552dfba867a6f68fca0b50e939d5c243b guix-build-3411491d0f99/output/x86_64-w64-mingw32/bitcoin-3411491d0f99-win64.zip |
|
I'm matching fanquake's |
Guix builds: |
laanwj
reviewed
Jul 28, 2021
One of the issues observed during the 22.0rc1 release process was that a codesigner's attestation mismatched non-codesigner attestations because the guix-codesign step was performed prior to tagging the version in bitcoin-detached-sigs.
guix-attest mistakenly added an extra \r to the line endings in all.SHA256SUMS, causing guix-verify to erroneously fail. Co-Authored-By: Carl Dong <contact@carldong.me>
If the user has set log.showSignature=true in their git config, then the git log will always output GPG signature information. Since git log is used to set EPOCH_SOURCE_DATE, this will mistakenly have GPG signature information in it which causes issues for the build. To avoid this issue, we override the config and force log.showSignature=false.
fanquake
approved these changes
Jul 29, 2021
fanquake
pushed a commit
to fanquake/bitcoin
that referenced
this pull request
Jul 29, 2021
Github-Pull: bitcoin#22531 Rebased-From: 33455c7
fanquake
pushed a commit
to fanquake/bitcoin
that referenced
this pull request
Jul 29, 2021
When verifying guix attestations, it is useful to set a particular signer's manifest as the base to compare against. Github-Pull: bitcoin#22531 Rebased-From: 4a46638
fanquake
pushed a commit
to fanquake/bitcoin
that referenced
this pull request
Jul 29, 2021
One of the issues observed during the 22.0rc1 release process was that a codesigner's attestation mismatched non-codesigner attestations because the guix-codesign step was performed prior to tagging the version in bitcoin-detached-sigs. Github-Pull: bitcoin#22531 Rebased-From: d080c27
fanquake
pushed a commit
to fanquake/bitcoin
that referenced
this pull request
Jul 29, 2021
guix-attest mistakenly added an extra \r to the line endings in all.SHA256SUMS, causing guix-verify to erroneously fail. Co-Authored-By: Carl Dong <contact@carldong.me> Github-Pull: bitcoin#22531 Rebased-From: 43225f0
fanquake
pushed a commit
to fanquake/bitcoin
that referenced
this pull request
Jul 29, 2021
If the user has set log.showSignature=true in their git config, then the git log will always output GPG signature information. Since git log is used to set EPOCH_SOURCE_DATE, this will mistakenly have GPG signature information in it which causes issues for the build. To avoid this issue, we override the config and force log.showSignature=false. Github-Pull: bitcoin#22531 Rebased-From: 9b313df
|
Backported in #22534. |
sidhujag
pushed a commit
to syscoin/syscoin
that referenced
this pull request
Jul 29, 2021
9b313df guix: Ensure EPOCH_SOURCE_DATE does not include GPG information (Andrew Chow) 43225f0 guix: Remove extra \r from all.SHA256SUMS line ending (Andrew Chow) d080c27 guix, doc: Add a note that codesigners need to rebuild after tagging (Andrew Chow) 4a46638 guix: Allow changing the base manifest in guix-verify (Andrew Chow) 33455c7 guix: Make all.SHA256SUMS rather than codesigned.SHA256SUMS (Andrew Chow) Pull request description: `guix-verify` expects `all.SHA256SUMS` but `guix-attest` produces `codesigned.SHA256SUMS`. Since `all.SHA256SUMS` makes more sense (as the file contains all the sha256sums, not just the codesigned ones), `guix-attest` has been changed to output a file of that name. As a quality of life improvement, `guix-verify` can take `SIGNER` and use the signer's manifest as the base to compare against. This makes it easier to compare a single person's attestations with everyone else's and can make it more obvious when one builder is clearly mismatching with everyone else. Lastly `release-process.md` is updated with a note about a gotcha that can cause a mismatch in the codesigned attestation. ACKs for top commit: fanquake: ACK 9b313df Tree-SHA512: 0d60627def38288dbd3059ad1e72cad224f9205da11b1a561c082ef28250a074df5cc5f2797c91a7be027bc486a3fda3319c2e496a8724e5b539337236c6f990
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
guix-verifyexpectsall.SHA256SUMSbutguix-attestproducescodesigned.SHA256SUMS. Sinceall.SHA256SUMSmakes more sense (as the file contains all the sha256sums, not just the codesigned ones),guix-attesthas been changed to output a file of that name.As a quality of life improvement,
guix-verifycan takeSIGNERand use the signer's manifest as the base to compare against. This makes it easier to compare a single person's attestations with everyone else's and can make it more obvious when one builder is clearly mismatching with everyone else.Lastly
release-process.mdis updated with a note about a gotcha that can cause a mismatch in the codesigned attestation.