JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

btcpayserver, nbxplorer: gpg verify upstream sources

Browse Source
This commit is contained in:
nixbitcoin 2021-05-05 13:59:37 +02:00 committed by Erik Arvstedt
parent 60c6153ab1
commit 1608efae17
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
1 changed files with 42 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
pkgs/applications/blockchains/nbxplorer/util/update-common.sh
View File

@ -1,16 +1,16 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p coreutils curl jq common-updater-scripts dotnet-sdk_3
#!nix-shell -i bash -p coreutils curl jq common-updater-scripts dotnet-sdk_3 git gnupg
set -euo pipefail
# This script uses the following env vars:
# getVersionFromTags
# onlyCreateDeps
# refetch
pkgName=$1
depsFile=$2
: ${getVersionFromTags:=}
: ${onlyCreateDeps:=}
: ${refetch:=}
scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)
nixpkgs=$(realpath "$scriptDir"/../../../../..)
@ -29,23 +29,46 @@ getLatestVersionTag() {
| sort -V | tail -1 | sed 's|^v||'
}
if [[ ! $onlyCreateDeps ]]; then
oldVersion=$(evalNixpkgs "$pkgName.version")
if [[ $getVersionFromTags ]]; then
newVersion=$(getLatestVersionTag)
else
newVersion=$(curl -s "https://api.github.com/repos/$(getRepo)/releases" | jq -r '.[0].name')
fi
if [[ $newVersion == $oldVersion ]]; then
echo "nixpkgs already has the latest version $newVersion"
echo "Run this script with env var onlyCreateDeps=1 to recreate "$(basename "$depsFile")
exit 0
else
echo "Updating $pkgName: $oldVersion -> $newVersion"
(cd "$nixpkgs" && update-source-version "$pkgName" "$newVersion")
fi
oldVersion=$(evalNixpkgs "$pkgName.version")
if [[ $getVersionFromTags ]]; then
newVersion=$(getLatestVersionTag)
else
newVersion=$(curl -s "https://api.github.com/repos/$(getRepo)/releases" | jq -r '.[0].name')
fi
if [[ $newVersion == $oldVersion && ! $refetch ]]; then
echo "nixpkgs already has the latest version $newVersion"
echo "Run this script with env var refetch=1 to re-verify the content hash via GPG"
echo "and to recreate $(basename "$depsFile"). This is useful for reviewing a version update."
exit 0
fi
# Fetch release and GPG-verify the content hash
tmpdir=$(mktemp -d /tmp/$pkgName-verify-gpg.XXX)
repo=$tmpdir/repo
trap "rm -rf $tmpdir" EXIT
git clone --depth 1 --branch v${newVersion} -c advice.detachedHead=false https://github.com/$(getRepo) $repo
export GNUPGHOME=$tmpdir
# Fetch Nicolas Dorier's key (64-bit key ID: 6618763EF09186FE)
gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys AB4CFA9895ACA0DBE27F6B346618763EF09186FE 2> /dev/null
echo
echo "Verifying commit"
git -C $repo verify-commit HEAD
rm -rf $repo/.git
newHash=$(nix hash-path $repo)
rm -rf $tmpdir
echo
# Update pkg version and hash
echo "Updating $pkgName: $oldVersion -> $newVersion"
if [[ $newVersion == $oldVersion ]]; then
# Temporarily set a source version that doesn't equal $newVersion so that $newHash
# is always updated in the next call to update-source-version.
(cd "$nixpkgs" && update-source-version "$pkgName" "0" "0000000000000000000000000000000000000000000000000000")
fi
(cd "$nixpkgs" && update-source-version "$pkgName" "$newVersion" "$newHash")
echo
# Create deps file
storeSrc="$(nix-build "$nixpkgs" -A $pkgName.src --no-out-link)"
. "$scriptDir"/create-deps.sh "$storeSrc" "$depsFile"