diff --git a/pkgs/applications/blockchains/nbxplorer/util/update-common.sh b/pkgs/applications/blockchains/nbxplorer/util/update-common.sh index c69168ccbbb1..7a9262bf4833 100755 --- a/pkgs/applications/blockchains/nbxplorer/util/update-common.sh +++ b/pkgs/applications/blockchains/nbxplorer/util/update-common.sh @@ -1,16 +1,16 @@ #!/usr/bin/env nix-shell -#!nix-shell -i bash -p coreutils curl jq common-updater-scripts dotnet-sdk_3 +#!nix-shell -i bash -p coreutils curl jq common-updater-scripts dotnet-sdk_3 git gnupg set -euo pipefail # This script uses the following env vars: # getVersionFromTags -# onlyCreateDeps +# refetch pkgName=$1 depsFile=$2 : ${getVersionFromTags:=} -: ${onlyCreateDeps:=} +: ${refetch:=} scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd) nixpkgs=$(realpath "$scriptDir"/../../../../..) @@ -29,23 +29,46 @@ getLatestVersionTag() { | sort -V | tail -1 | sed 's|^v||' } -if [[ ! $onlyCreateDeps ]]; then - oldVersion=$(evalNixpkgs "$pkgName.version") - if [[ $getVersionFromTags ]]; then - newVersion=$(getLatestVersionTag) - else - newVersion=$(curl -s "https://api.github.com/repos/$(getRepo)/releases" | jq -r '.[0].name') - fi - - if [[ $newVersion == $oldVersion ]]; then - echo "nixpkgs already has the latest version $newVersion" - echo "Run this script with env var onlyCreateDeps=1 to recreate "$(basename "$depsFile") - exit 0 - else - echo "Updating $pkgName: $oldVersion -> $newVersion" - (cd "$nixpkgs" && update-source-version "$pkgName" "$newVersion") - fi +oldVersion=$(evalNixpkgs "$pkgName.version") +if [[ $getVersionFromTags ]]; then + newVersion=$(getLatestVersionTag) +else + newVersion=$(curl -s "https://api.github.com/repos/$(getRepo)/releases" | jq -r '.[0].name') fi +if [[ $newVersion == $oldVersion && ! $refetch ]]; then + echo "nixpkgs already has the latest version $newVersion" + echo "Run this script with env var refetch=1 to re-verify the content hash via GPG" + echo "and to recreate $(basename "$depsFile"). This is useful for reviewing a version update." + exit 0 +fi + +# Fetch release and GPG-verify the content hash +tmpdir=$(mktemp -d /tmp/$pkgName-verify-gpg.XXX) +repo=$tmpdir/repo +trap "rm -rf $tmpdir" EXIT +git clone --depth 1 --branch v${newVersion} -c advice.detachedHead=false https://github.com/$(getRepo) $repo +export GNUPGHOME=$tmpdir +# Fetch Nicolas Dorier's key (64-bit key ID: 6618763EF09186FE) +gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys AB4CFA9895ACA0DBE27F6B346618763EF09186FE 2> /dev/null +echo +echo "Verifying commit" +git -C $repo verify-commit HEAD +rm -rf $repo/.git +newHash=$(nix hash-path $repo) +rm -rf $tmpdir +echo + +# Update pkg version and hash +echo "Updating $pkgName: $oldVersion -> $newVersion" +if [[ $newVersion == $oldVersion ]]; then + # Temporarily set a source version that doesn't equal $newVersion so that $newHash + # is always updated in the next call to update-source-version. + (cd "$nixpkgs" && update-source-version "$pkgName" "0" "0000000000000000000000000000000000000000000000000000") +fi +(cd "$nixpkgs" && update-source-version "$pkgName" "$newVersion" "$newHash") +echo + +# Create deps file storeSrc="$(nix-build "$nixpkgs" -A $pkgName.src --no-out-link)" . "$scriptDir"/create-deps.sh "$storeSrc" "$depsFile"