diff --git a/docs/usage.md b/docs/usage.md index 377f5a1..be7675c 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -1,28 +1,10 @@ Updating --- -Run `git pull` in the nix-bitcoin directory, enter the nix shell with `nix-shell` and redeploy with `nixops deploy -d bitcoin-node`. +In your deployment directory, enter the nix shell with `nix-shell` and run -### Verifying GPG Signatures (recommended) -1. Import jonasnick's gpg key - - ``` - gpg2 --receive-key 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 - ``` - -2. Trust jonasnick's gpg key - - ``` - gpg2 --edit-key 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 - trust - 4 - quit - ``` - -3. Verify commit after `git pull` - - ``` - git verify-commit - ``` +``` +fetch-release > nix-bitcoin-release.nix +``` Nodeinfo --- diff --git a/examples/nix-bitcoin-release.nix b/examples/nix-bitcoin-release.nix new file mode 100644 index 0000000..a87522d --- /dev/null +++ b/examples/nix-bitcoin-release.nix @@ -0,0 +1 @@ +../. diff --git a/examples/shell.nix b/examples/shell.nix index 3f0c7c9..2298134 100644 --- a/examples/shell.nix +++ b/examples/shell.nix @@ -1,10 +1,12 @@ let - # TODO: - # nix-bitcoin-path = builtins.fetchTarball { - # url = "https://github.com/fort-nix/nix-bitcoin/archive/master.tar.gz"; - # sha256 = "1mlvfakjgbl67k4k9mgafp5gvi2gb2p57xwxwffqr4chx8g848n7"; - # }; - nix-bitcoin-path = ../.; + # This is either a path to a local nix-bitcoin source or an attribute set to + # be used as the fetchurl argument. + nix-bitcoin-release = import ./nix-bitcoin-release.nix; + + nix-bitcoin-path = + if builtins.isAttrs nix-bitcoin-release then nix-bitcoin-unpacked + else nix-bitcoin-release; + nixpkgs-path = (import "${toString nix-bitcoin-path}/pkgs/nixpkgs-pinned.nix").nixpkgs; nixpkgs = import nixpkgs-path {}; nix-bitcoin = nixpkgs.callPackage nix-bitcoin-path {}; @@ -13,6 +15,10 @@ let url = "https://github.com/erikarvstedt/extra-container/archive/6cced2c26212cc1c8cc7cac3547660642eb87e71.tar.gz"; sha256 = "0qr41mma2iwxckdhqfabw3vjcbp2ffvshnc3k11kwriwj14b766v"; }) {}; + + nix-bitcoin-unpacked = (import {}).runCommand "nix-bitcoin-src" {} '' + mkdir $out; tar xf ${builtins.fetchurl nix-bitcoin-release} -C $out + ''; in with nixpkgs; @@ -23,6 +29,7 @@ stdenv.mkDerivation rec { shellHook = '' export NIX_PATH="nixpkgs=${nixpkgs-path}:nix-bitcoin=${toString nix-bitcoin-path}:." + alias fetch-release="${toString nix-bitcoin-path}/helper/fetch-release" # ssh-agent and nixops don't play well together (see # https://github.com/NixOS/nixops/issues/256). I'm getting `Received disconnect diff --git a/helper/fetch-release b/helper/fetch-release new file mode 100755 index 0000000..6529386 --- /dev/null +++ b/helper/fetch-release @@ -0,0 +1,36 @@ +#! /usr/bin/env nix-shell +#! nix-shell -i bash -p bash coreutils curl jq gnugrep gnupg +set -euo pipefail + +scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd) + +REPO=fort-nix/nix-bitcoin +if [[ ! -v VERSION ]]; then + VERSION=$(curl --silent "https://api.github.com/repos/$REPO/releases/latest" | jq -r '.tag_name' | tail -c +2) +fi + +TMPDIR=$(mktemp -d) +GPG_HOME=$(mktemp -d) +trap "rm -rf $TMPDIR $GPG_HOME" EXIT + +cd $TMPDIR +BASEURL=https://github.com/$REPO/releases/download/v$VERSION +curl --silent -L -O $BASEURL/SHA256SUMS.txt +curl --silent -L -O $BASEURL/SHA256SUMS.txt.asc + +# Import key and verify fingerprint +gpg --homedir $GPG_HOME --import "$scriptDir/key-jonasnick.bin" &> /dev/null +gpg --homedir $GPG_HOME --list-keys 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 > /dev/null + +gpg --homedir $GPG_HOME --verify SHA256SUMS.txt.asc &> /dev/null || { + echo "ERROR: Signature verification failed. Please open an issue in the project repository." + exit 1 +} + +SHA256=$(cat SHA256SUMS.txt | grep -Eo '^[^ ]+') +cat <