guix: Add guix-{attest,verify} scripts #21462
Conversation
|
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. ConflictsNo conflicts as of last run. |
e896333 to
5da0e36
Compare
|
Perhaps we can test this by doing a trial run? I've PR'ed my attestations of 5da0e36 here: bitcoin-core/guix.sigs#1 What I did:
Once you've run |
There was a problem hiding this comment.
Tested 5da0e36.
Result: bitcoin-core/guix.sigs#2
Once you've run
./contrib/guix/guix-attest, you can verify against my signatures using:$ env GUIX_SIGS_REPO=<path/to/guix.sigs> ./contrib/guix/guix-verify
I think it is possible when bitcoin-core/guix.sigs#1 is merged, no?
The PR doesn't have to be merged, you should be able to just fetch and checkout the branch you want to verify against. |
|
I have done a trial run through the attestation / verify steps as well. bitcoin-core/guix.sigs#3. Note that for anyone attesting/verifying on macOS, the invocations of |
contrib/guix/guix-attest
Outdated
| find . -type f -printf '%P\0' | env LC_ALL=C sort -z | xargs -r0 sha256sum >> "$outsigdir"/SHA256SUMS | ||
| ) | ||
| echo "${outname}: Signing SHA256SUMS to produce SHA256SUMS.asc" | ||
| gpg --detach-sign --local-user "$gpg_key_name" --output "$outsigdir"/SHA256SUMS.asc "$outsigdir"/SHA256SUMS |
There was a problem hiding this comment.
If you're producing .asc files I think it would be expected that they're ascii-armored (--armor); otherwise use the .sig extension (this doesn't really matter, but it's a convention).
Please see commit messages for more explanations. Signatures up here: https://github.com/dongcarl/guix.sigs/tree/2021-04-PR21462/7cd57f3ac308 |
|
Wondering if the latest changes look alright, and what else needs fixing up here before it's ready for merge! |
There was a problem hiding this comment.
Concept ACK 7cd57f3 🍠
Show signature and timestamp
Signature:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Concept ACK 7cd57f3ac308ba296842289542b15e902f105964 🍠
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEE+rVPoUahrI9sLGYTzit1aX5ppUgFAlwqrYAACgkQzit1aX5p
pUiWMwv+MSUhxaO+wyNQ7iSyL1e3PrBcw5kLsXZDz8aWT27W8ZMJLoArJWD6K10p
o5QHYUJSg9HL/4QOQ+g+VCt6fdA2ktjpeKsrKfoivgMwfV5ZO2UowUHazuaxzi/k
oAR+xOLaWpsuKqvwSEsV9n0E53A7a5E/6jj5O2U9Nt2QFStRCW82q5Sm6cApy/mn
wTrvHQn4cqFqe+Io2WKnIvLFP8V/blggXRbGynm8+v1PBGyVTXoBP/CVbklc7JNj
Wl2hcY2Fzn0LfWgqRagtAlOTH/xxwbvPm/6PMfOqJg0u2Y4/e6KojTuFBYEQrXM4
vrjI3rRqjzg6fMa3miSZAwfknCIQJbDX1u7QIie4cqDolVM0HyGZizFxIr3m6hsc
VQ0Wu+eCrHzB3K2UdI5lo4Nn8O+quCICmue5d9Iix1obNdxCR4Q915EMWIejjkkR
45e2IOwJOT0ADQy3Drd2X6CQAHZTHJGtaoPecFR6DRTUE2uKHTYiKLEEb4QYJHBC
1B6vN1+j
=bEwp
-----END PGP SIGNATURE-----
Timestamp of file with hash bc7b8ef6e6110dba1bb1148d42a8626cc8670590bd75fcef192668f241327364 -
contrib/guix/guix-attest
Outdated
| echo "" | ||
|
|
||
| # MAIN LOGIC: Loop through each output for VERSION and attest to output in | ||
| # GUIX_SIGS_REPO as SIGNERif attestation does not exist |
There was a problem hiding this comment.
| # GUIX_SIGS_REPO as SIGNERif attestation does not exist | |
| # GUIX_SIGS_REPO as SIGNER, if attestation does not exist |
| if [ -e inputs.SHA256SUMS ]; then | ||
| echo "${outname}: Including existent input SHA256SUMS" | ||
| cat inputs.SHA256SUMS >> "$outsigdir"/SHA256SUMS | ||
| fi |
There was a problem hiding this comment.
shouldn't this fail when the file is missing?
There was a problem hiding this comment.
Thinking about this since dist-archive does not have an inputs.SHA256SUMS... Right now, we attest to the bitcoin repo's git-archive in distsrc-archive, but I think perhaps it only makes sense to attest to it in the context of it being inputs to the host-specific outputs. When we add codesignatures, similarly it only makes sense to attest to the detached-sigs repo's git-archive in the context of it being inputs to the host-specific codesigned outputs. Will make a change so that we don't attest to dist-archive directly.
|
🕵️ @practicalswift has been requested to review this pull request as specified in the REVIEWERS file. |
While files are being output to $OUTDIR, it will be under
${DISTSRC}/output, and only when everything is done, will
${DISTSRC}/output be moved to the actual $OUTDIR.
This makes it so that a Ctrl-C in the middle of a build is less likely
to result in a partially-constructed $OUTDIR. In fact, if I understand
correctly, if $OUTDIR and $DISTSRC reside on the same filesystem, the
move (rename) is likely atomic.
Also, since the "working $OUTDIR" is under ${DISTSRC}/output, it will be
cleaned properly by the guix-clean script.
At build/codesigning-time, hash build inputs and output the digest to
${OUTDIR}/inputs.SHA256SUMS, which gets included in the final SHA256SUMS
constructed by guix-attest.
Example final SHA256SUMS:
ee832d2a35b7701bff581dea05a536118b118e3ad0a587a2855b6ee8cd6fba20 inputs/bitcoin-78199266af7b.tar.gz
ca765e70a0c12866dd63c0be228b675278a26329e5f8f5b5c52fd09200fedf21 bitcoin-78199266af7b-powerpc64le-linux-gnu-debug.tar.gz
dae95327d7f2c324e2728c4b73627be6cb2c0d2f2e5bea940d1d5e6463939327 bitcoin-78199266af7b-powerpc64le-linux-gnu.tar.gz
We already attest to the relevant dist-archive in inputs.SHA256SUMS, which is recorded at build-time. We use a SKIPATTEST.TAG file to indicate output directories which do not require attestation (much like the CACHEDIR.TAG specification). Generally, it's better to have build scripts declare properties of directories instead of introducing name-based special cases in attest scripts since build scripts have a more detailed context of what is going on.
7cd57f3 to
feda2c8
Compare
As always, guix.sigs are up at: https://github.com/dongcarl/guix.sigs/tree/2021-04-PR21462/feda2c8e3180 |
Sometimes GPG connects to the wrong agent... or you don't have your smartcard handy...
guix.sigs up at: https://github.com/dongcarl/guix.sigs/tree/2021-04-PR21462/d420e5c1c015 |
|
Tested ACK Would it be useful to have a concatenated SHA256SUMS (with all files) as well? I mean, depending on how we're going to do the distribution on the website and torrent. I guess if we're redesigning this it makes sense to have the two match up, not sign a different file with the 'distribution signing key' anymore but the same one (or forego my distribution signing key completely, just collect the attestations). Or is the idea is to start using a subdirectory per platform there (each with its own SHA256SUMS) too? In this case, having |
Hmmm, are you talking about for the webserver? I think it can be done using hard/symlinks at the FS level, or just using virtualized paths at the HTTP level. Wondering what particular user-flow you have in mind :-) |
|
Code review and tested ACK d420e5c
After discussion on IRC: let's leave this for another PR. |
d420e5c guix-attest: Avoid incomplete sigdirs with ERR traps (Carl Dong) feda2c8 guix: Skip attesting to dist-archive (Carl Dong) d522d80 guix: Attest to inputs in inputs.SHA256SUMS (Carl Dong) f9e2960 guix: Construct $OUTDIR in ${DISTSRC}/output (Carl Dong) 022abc8 guix: Minor quoting fix in libexec/build.sh (Carl Dong) c83c4fa guix-attest: Allow skipping GPG signing with NO_SIGN (Carl Dong) 0e1c2e4 guix-attest: Use ascii-armor signatures (Carl Dong) b5fd89c guix-attest: Only use cross-platform flags for find+xargs (Carl Dong) 5926432 guix: Add guix-verify script (Carl Dong) 30daf76 guix: Add guix-attest script (Carl Dong) Pull request description: Adds replacements for `gsign` and `gverify`. Personally I'm not a big fan of using the word "sign" as it's been used to refer to both codesigning and GPG signing. ACKs for top commit: laanwj: Code review and tested ACK d420e5c Tree-SHA512: 93d82d201f4596eaea0e3825aa55b013dfb91790e6ccee79893833d37921513d7b4e735f0641103e1e2ea8308abe4cb6218b73160924708802f2e0e3f7f6caf1
|
|
||
| if [ -e inputs.SHA256SUMS ]; then | ||
| echo "${outname}: Including existent input SHA256SUMS" | ||
| cat inputs.SHA256SUMS >> "$outsigdir"/SHA256SUMS |
There was a problem hiding this comment.
This line fails with "path not found" on macOS when GUIX_SIGS_REPO is a relative path like ../guix.sigs.
| echo "${outname}: Hashing build outputs to produce SHA256SUMS" | ||
| files="$(find -L . -type f ! -iname '*.SHA256SUMS')" | ||
| if [ -n "$files" ]; then | ||
| cut -c3- <<< "$files" | env LC_ALL=C sort | xargs sha256sum >> "$outsigdir"/SHA256SUMS |
There was a problem hiding this comment.
On macOS this needs to be shasum -a 256 or the user has to make an alias or brew install coreutils
There was a problem hiding this comment.
Hmmm, does shasum -a 256 produce identical output to sha256sum?
There was a problem hiding this comment.
If my uploaded attestation is correct, yes :-)
fac4814 doc/release-process: Add torrent creation details (Carl Dong) 5d24cc3 guix/INSTALL: Guix installs init scripts in libdir (Carl Dong) 5da2ee4 guix/INSTALL: Add coreutils/inotify-dir-recreate troubleshooting (Carl Dong) 318c607 guix: Adapt release-process.md to new Guix process (Carl Dong) fcab35b guix-attest: Produce and sign normalized documents (Carl Dong) c2541fd guix: Overhaul README (Carl Dong) 46ce6ce tree-wide: Rename gitian-keys to builder-keys (Carl Dong) fc4f844 guix: Update various check_tools lists (Carl Dong) 263220a guix: Check for a sane services database (Carl Dong) Pull request description: Based on: #21462 Keeping the README in one file so that it's easy to search through. Will add more jumping links later so navigation is easier. Current TODOs: - [x] Shell installer option: prompt user to re-login for `/etc/profile.d` entry to be picked up - [x] Binary tarball option: prompt user to create `/etc/profile.d` entry and re-login - [x] Fanquake docker option: complete section - [x] Arch Linux AUR option: prompt to start `guix-daemon-latest` unit after finishing "optional setup" section - [x] Building from source option: Insert dependency tree diagram that I made - [x] Building from source option: redo sectioning, kind of a mess right now - [x] Optional setup: make clear which parts are only needed if building from source - [x] Workaround 1 for GnuTLS: perhaps mention how to remove Guix build farm's key - [x] Overall (after everything): Make the links work. Note to self: wherever possible, tell user how to check that something is true rather than branching by installation option. ACKs for top commit: fanquake: ACK fac4814 - going to go ahead and merge this now. It's a lot of documentation, and could probably be nit-picked / improved further, however, that can continue over the next few weeks. I'm sure more (backportable) improvements / clarifications will be made while we progress through RCs towards a new release. Tree-SHA512: dc46c0ecdfc67c7c7743ca26e4a603eb3f54adbf81be2f4c1f4c20577ebb84b5250b9c9ec89c0e9860337ab1c7cff94d7963c603287267deecfe1cd987fa070a
Adds replacements for
gsignandgverify.Personally I'm not a big fan of using the word "sign" as it's been used to refer to both codesigning and GPG signing.