btcpayserver, nbxplorer: gpg verify upstream sources

2021-05-05 13:59:37 +02:00 · 2021-05-05 13:59:37 +02:00 · 1608efae17
commit 1608efae17
parent 60c6153ab1
1 changed files with 42 additions and 19 deletions
--- a/pkgs/applications/blockchains/nbxplorer/util/update-common.sh
+++ b/pkgs/applications/blockchains/nbxplorer/util/update-common.sh
@ -1,16 +1,16 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -i bash -p coreutils curl jq common-updater-scripts dotnet-sdk_3
+#!nix-shell -i bash -p coreutils curl jq common-updater-scripts dotnet-sdk_3 git gnupg
 set -euo pipefail

 # This script uses the following env vars:
 # getVersionFromTags
-# onlyCreateDeps
+# refetch

 pkgName=$1
 depsFile=$2

 : ${getVersionFromTags:=}
-: ${onlyCreateDeps:=}
+: ${refetch:=}

 scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)
 nixpkgs=$(realpath "$scriptDir"/../../../../..)
@ -29,23 +29,46 @@ getLatestVersionTag() {
    | sort -V | tail -1 | sed 's|^v||'
 }

-if [[ ! $onlyCreateDeps ]]; then
-  oldVersion=$(evalNixpkgs "$pkgName.version")
-  if [[ $getVersionFromTags ]]; then
-    newVersion=$(getLatestVersionTag)
-  else
-    newVersion=$(curl -s "https://api.github.com/repos/$(getRepo)/releases" | jq -r '.[0].name')
-  fi
-
-  if [[ $newVersion == $oldVersion ]]; then
-    echo "nixpkgs already has the latest version $newVersion"
-    echo "Run this script with env var onlyCreateDeps=1 to recreate "$(basename "$depsFile")
-    exit 0
-  else
-    echo "Updating $pkgName: $oldVersion -> $newVersion"
-    (cd "$nixpkgs" && update-source-version "$pkgName" "$newVersion")
-  fi
+oldVersion=$(evalNixpkgs "$pkgName.version")
+if [[ $getVersionFromTags ]]; then
+  newVersion=$(getLatestVersionTag)
+else
+  newVersion=$(curl -s "https://api.github.com/repos/$(getRepo)/releases" | jq -r '.[0].name')
 fi

+if [[ $newVersion == $oldVersion && ! $refetch ]]; then
+  echo "nixpkgs already has the latest version $newVersion"
+  echo "Run this script with env var refetch=1 to re-verify the content hash via GPG"
+  echo "and to recreate $(basename "$depsFile"). This is useful for reviewing a version update."
+  exit 0
+fi
+
+# Fetch release and GPG-verify the content hash
+tmpdir=$(mktemp -d /tmp/$pkgName-verify-gpg.XXX)
+repo=$tmpdir/repo
+trap "rm -rf $tmpdir" EXIT
+git clone --depth 1 --branch v${newVersion} -c advice.detachedHead=false https://github.com/$(getRepo) $repo
+export GNUPGHOME=$tmpdir
+# Fetch Nicolas Dorier's key (64-bit key ID: 6618763EF09186FE)
+gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys AB4CFA9895ACA0DBE27F6B346618763EF09186FE 2> /dev/null
+echo
+echo "Verifying commit"
+git -C $repo verify-commit HEAD
+rm -rf $repo/.git
+newHash=$(nix hash-path $repo)
+rm -rf $tmpdir
+echo
+
+# Update pkg version and hash
+echo "Updating $pkgName: $oldVersion -> $newVersion"
+if [[ $newVersion == $oldVersion ]]; then
+  # Temporarily set a source version that doesn't equal $newVersion so that $newHash
+  # is always updated in the next call to update-source-version.
+  (cd "$nixpkgs" && update-source-version "$pkgName" "0" "0000000000000000000000000000000000000000000000000000")
+fi
+(cd "$nixpkgs" && update-source-version "$pkgName" "$newVersion" "$newHash")
+echo
+
+# Create deps file
 storeSrc="$(nix-build "$nixpkgs" -A $pkgName.src --no-out-link)"
 . "$scriptDir"/create-deps.sh "$storeSrc" "$depsFile"