Add fetch-release script

This allows getting the hash of the latest (or some other) release using github releases and gpg verification.
2020-03-22 16:14:20 +00:00 · 2020-03-22 16:14:20 +00:00 · 5ed0284db9
parent c303cd47e4
commit 5ed0284db9
5 changed files with 54 additions and 28 deletions
--- a/docs/usage.md
+++ b/docs/usage.md
@ -1,28 +1,10 @@
 Updating
 ---
-Run `git pull` in the nix-bitcoin directory, enter the nix shell with `nix-shell` and redeploy with `nixops deploy -d bitcoin-node`.
+In your deployment directory, enter the nix shell with `nix-shell` and run

-### Verifying GPG Signatures (recommended)
-1. Import jonasnick's gpg key
-
-    ```
-    gpg2 --receive-key 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366
-    ```
-
-2. Trust jonasnick's gpg key
-
-    ```
-    gpg2 --edit-key 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366
-    trust
-    4
-    quit
-    ```
-
-3.  Verify commit after `git pull`
-
-    ```
-    git verify-commit <hash of latest commit>
-    ```
+```
+fetch-release > nix-bitcoin-release.nix
+```

 Nodeinfo
 ---
--- a/examples/nix-bitcoin-release.nix
+++ b/examples/nix-bitcoin-release.nix
@ -0,0 +1 @@
+../.
--- a/examples/shell.nix
+++ b/examples/shell.nix
@ -1,10 +1,12 @@
 let
-  # TODO:
-  # nix-bitcoin-path = builtins.fetchTarball {
-  #   url = "https://github.com/fort-nix/nix-bitcoin/archive/master.tar.gz";
-  #   sha256 = "1mlvfakjgbl67k4k9mgafp5gvi2gb2p57xwxwffqr4chx8g848n7";
-  # };
-  nix-bitcoin-path = ../.;
+  # This is either a path to a local nix-bitcoin source or an attribute set to
+  # be used as the fetchurl argument.
+  nix-bitcoin-release = import ./nix-bitcoin-release.nix;
+
+  nix-bitcoin-path =
+    if builtins.isAttrs nix-bitcoin-release then nix-bitcoin-unpacked
+    else nix-bitcoin-release;
+
  nixpkgs-path = (import "${toString nix-bitcoin-path}/pkgs/nixpkgs-pinned.nix").nixpkgs;
  nixpkgs = import nixpkgs-path {};
  nix-bitcoin = nixpkgs.callPackage nix-bitcoin-path {};
@ -13,6 +15,10 @@ let
    url = "https://github.com/erikarvstedt/extra-container/archive/6cced2c26212cc1c8cc7cac3547660642eb87e71.tar.gz";
    sha256 = "0qr41mma2iwxckdhqfabw3vjcbp2ffvshnc3k11kwriwj14b766v";
  }) {};
+
+  nix-bitcoin-unpacked = (import <nixpkgs> {}).runCommand "nix-bitcoin-src" {} ''
+    mkdir $out; tar xf ${builtins.fetchurl nix-bitcoin-release} -C $out
+  '';
 in
 with nixpkgs;

@ -23,6 +29,7 @@ stdenv.mkDerivation rec {

  shellHook = ''
    export NIX_PATH="nixpkgs=${nixpkgs-path}:nix-bitcoin=${toString nix-bitcoin-path}:."
+    alias fetch-release="${toString nix-bitcoin-path}/helper/fetch-release"

    # ssh-agent and nixops don't play well together (see
    # https://github.com/NixOS/nixops/issues/256). I'm getting `Received disconnect
--- a/helper/fetch-release
+++ b/helper/fetch-release
@ -0,0 +1,36 @@
+#! /usr/bin/env nix-shell
+#! nix-shell -i bash -p bash coreutils curl jq gnugrep gnupg
+set -euo pipefail
+
+scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)
+
+REPO=fort-nix/nix-bitcoin
+if [[ ! -v VERSION ]]; then
+    VERSION=$(curl --silent "https://api.github.com/repos/$REPO/releases/latest" | jq -r '.tag_name' | tail -c +2)
+fi
+
+TMPDIR=$(mktemp -d)
+GPG_HOME=$(mktemp -d)
+trap "rm -rf $TMPDIR $GPG_HOME" EXIT
+
+cd $TMPDIR
+BASEURL=https://github.com/$REPO/releases/download/v$VERSION
+curl --silent -L -O $BASEURL/SHA256SUMS.txt
+curl --silent -L -O $BASEURL/SHA256SUMS.txt.asc
+
+# Import key and verify fingerprint
+gpg --homedir $GPG_HOME --import "$scriptDir/key-jonasnick.bin" &> /dev/null
+gpg --homedir $GPG_HOME --list-keys 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 > /dev/null
+
+gpg --homedir $GPG_HOME --verify SHA256SUMS.txt.asc &> /dev/null || {
+    echo "ERROR: Signature verification failed. Please open an issue in the project repository."
+    exit 1
+}
+
+SHA256=$(cat SHA256SUMS.txt | grep -Eo '^[^ ]+')
+cat <<EOF
+{
+  url = "$BASEURL/nix-bitcoin-$VERSION.tar.gz";
+  sha256 = "$SHA256";
+}
+EOF
--- a/helper/key-jonasnick.bin
+++ b/helper/key-jonasnick.bin