From 5ed0284db99e6659b8be3065db44648d6660d57c Mon Sep 17 00:00:00 2001 From: Jonas Nick Date: Sun, 22 Mar 2020 16:14:20 +0000 Subject: [PATCH] Add fetch-release script This allows getting the hash of the latest (or some other) release using github releases and gpg verification. --- docs/usage.md | 26 ++++------------------ examples/nix-bitcoin-release.nix | 1 + examples/shell.nix | 19 ++++++++++------ helper/fetch-release | 36 +++++++++++++++++++++++++++++++ helper/key-jonasnick.bin | Bin 0 -> 2811 bytes 5 files changed, 54 insertions(+), 28 deletions(-) create mode 100644 examples/nix-bitcoin-release.nix create mode 100755 helper/fetch-release create mode 100644 helper/key-jonasnick.bin diff --git a/docs/usage.md b/docs/usage.md index 377f5a1..be7675c 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -1,28 +1,10 @@ Updating --- -Run `git pull` in the nix-bitcoin directory, enter the nix shell with `nix-shell` and redeploy with `nixops deploy -d bitcoin-node`. +In your deployment directory, enter the nix shell with `nix-shell` and run -### Verifying GPG Signatures (recommended) -1. Import jonasnick's gpg key - - ``` - gpg2 --receive-key 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 - ``` - -2. Trust jonasnick's gpg key - - ``` - gpg2 --edit-key 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 - trust - 4 - quit - ``` - -3. Verify commit after `git pull` - - ``` - git verify-commit - ``` +``` +fetch-release > nix-bitcoin-release.nix +``` Nodeinfo --- diff --git a/examples/nix-bitcoin-release.nix b/examples/nix-bitcoin-release.nix new file mode 100644 index 0000000..a87522d --- /dev/null +++ b/examples/nix-bitcoin-release.nix @@ -0,0 +1 @@ +../. diff --git a/examples/shell.nix b/examples/shell.nix index 3f0c7c9..2298134 100644 --- a/examples/shell.nix +++ b/examples/shell.nix @@ -1,10 +1,12 @@ let - # TODO: - # nix-bitcoin-path = builtins.fetchTarball { - # url = "https://github.com/fort-nix/nix-bitcoin/archive/master.tar.gz"; - # sha256 = "1mlvfakjgbl67k4k9mgafp5gvi2gb2p57xwxwffqr4chx8g848n7"; - # }; - nix-bitcoin-path = ../.; + # This is either a path to a local nix-bitcoin source or an attribute set to + # be used as the fetchurl argument. + nix-bitcoin-release = import ./nix-bitcoin-release.nix; + + nix-bitcoin-path = + if builtins.isAttrs nix-bitcoin-release then nix-bitcoin-unpacked + else nix-bitcoin-release; + nixpkgs-path = (import "${toString nix-bitcoin-path}/pkgs/nixpkgs-pinned.nix").nixpkgs; nixpkgs = import nixpkgs-path {}; nix-bitcoin = nixpkgs.callPackage nix-bitcoin-path {}; @@ -13,6 +15,10 @@ let url = "https://github.com/erikarvstedt/extra-container/archive/6cced2c26212cc1c8cc7cac3547660642eb87e71.tar.gz"; sha256 = "0qr41mma2iwxckdhqfabw3vjcbp2ffvshnc3k11kwriwj14b766v"; }) {}; + + nix-bitcoin-unpacked = (import {}).runCommand "nix-bitcoin-src" {} '' + mkdir $out; tar xf ${builtins.fetchurl nix-bitcoin-release} -C $out + ''; in with nixpkgs; @@ -23,6 +29,7 @@ stdenv.mkDerivation rec { shellHook = '' export NIX_PATH="nixpkgs=${nixpkgs-path}:nix-bitcoin=${toString nix-bitcoin-path}:." + alias fetch-release="${toString nix-bitcoin-path}/helper/fetch-release" # ssh-agent and nixops don't play well together (see # https://github.com/NixOS/nixops/issues/256). I'm getting `Received disconnect diff --git a/helper/fetch-release b/helper/fetch-release new file mode 100755 index 0000000..6529386 --- /dev/null +++ b/helper/fetch-release @@ -0,0 +1,36 @@ +#! /usr/bin/env nix-shell +#! nix-shell -i bash -p bash coreutils curl jq gnugrep gnupg +set -euo pipefail + +scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd) + +REPO=fort-nix/nix-bitcoin +if [[ ! -v VERSION ]]; then + VERSION=$(curl --silent "https://api.github.com/repos/$REPO/releases/latest" | jq -r '.tag_name' | tail -c +2) +fi + +TMPDIR=$(mktemp -d) +GPG_HOME=$(mktemp -d) +trap "rm -rf $TMPDIR $GPG_HOME" EXIT + +cd $TMPDIR +BASEURL=https://github.com/$REPO/releases/download/v$VERSION +curl --silent -L -O $BASEURL/SHA256SUMS.txt +curl --silent -L -O $BASEURL/SHA256SUMS.txt.asc + +# Import key and verify fingerprint +gpg --homedir $GPG_HOME --import "$scriptDir/key-jonasnick.bin" &> /dev/null +gpg --homedir $GPG_HOME --list-keys 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 > /dev/null + +gpg --homedir $GPG_HOME --verify SHA256SUMS.txt.asc &> /dev/null || { + echo "ERROR: Signature verification failed. Please open an issue in the project repository." + exit 1 +} + +SHA256=$(cat SHA256SUMS.txt | grep -Eo '^[^ ]+') +cat <7xKocV)ZSEe+bXy%v$v2gSkf%ThA<3%%-ij&1I+1^zFc2Uvi&`0m zzI{i8bqsQ2pF`eRmBC7Ls9f|l5g7C0bSpSGhzv%X50Ju?@!8e8Ueenzn^u?x(ER>q zy>d^ICE5q(y#pq-!cNm=)p51;G}Iu}9?|BIP~_T?nU!jHf_W1jt>vq6yq9_PqkBvdvEq+aBCRpnSJd=lu1(Mds$PKv1_(IA<7wB2YLlEb% zWPVF>KEE&n1h7Fd1TAL80Q(v5KJF#yiZ10QOjZ~vtqiyEva)UB2E`_AnDcD~|0uYq zKvI^-eCDd?8V}%0Zh3h>zbKv;72+aB#W$w+rZ{99ycHW>$EYfvRpIm1kPsz9+^94F zJ*TAw{rp99+j#&H0RRECB1&&=VRIl(X=7_3JZf)lVRK|IZfRp{Kxb`XX>2ZIZ*4w_ z0zU*30RjLi0viJd3ke7Z0|EgC6$k=)Igf+GvTB_Rpu&#)`_hE7i(oKL-GJ@WaBN`a>UjC3DD}Y z^ta5+p>qquvUj_zyP?$s#mwFK)q<$La5+SUp*}{TVii(jYA(g2Q7S-c1Mvcr96ClY z&?b@ikR!aD?BlT~wf~(ONbpJ2uyM4qTsMi~x{|u^EXU%l(sSn!H$O{bcR%1p!L=ex z8V6R^p0YBBiW2n5lSu7GXEEJIxL9QIXC9NSzdslfbLDT1` z0x|QTUvU3m%;Vt8Q^Xset-_=>cXo$rD|UN4a_{ztq6t+6#wN5U))Zu#?$$9!b8tZX z2Wa55v5zGi8%YB~H(k6DCP0Z6<;|6@M>AsoAPC~{i9vou`ke6mMn=v^zLZ2f>*Cm&q zP@`w0$ylrCZna2e?+|> z>nA|eB3i(F4OhQa2>YG(ruekgpoOVm=o4G!JN>mjQz=ZyQ&f~ta*zlvNG5e9G=jv< zmh}#^IsY!d(|(5DQ>8QFUiR_gWWe=BuHeZmYqwsj47v2hV!EVY1q>V?rI>*|wAl6= zF%0R&1djynFE_WpNyTXbSJO|OvV#Q?Z_j=Mg3!!eEh%de3zkkdkzZA^;MCJ8lt7NJ zSP!PVlr~n)Y_pi1S9+f9WB&5Wy@-%6@N=MYcwdn(MsC4|OJH;>gyqM(d81SrlAZQN z2R5j4oTYv}<^m(X1OX5jG~`CtEN&6} zP|477mg~1OkHk*6(~Ub*LP;uFUTyP;S4yGNa%qcO`Qh*&We{jB>6dUFKf)=2 zR15I00$|f&01*KI0f_{11Q-Db045e81UAPSH_6$Ez33$f*|Db%PmRq3W&#@m1p-|f zLWczj1*$|{0zkoZAOsl!2ml=xAp}digj#P}Wu~3_>?25F+wx)(HU$L&Sy3^n0162Z zNMYOZViGn5Ek+OjY2cRyJdomQf8NaVFWROn+{3{8Us91Pqu&wz=>be8C!Y}nzi2jN z!;>w;+}0xYC1yC0^P2@mR_Mj&KEjq)Qt;|i=*#@*0=$nrn;_zW-?8fw&C9GsbRAZ0y%^DO3sfgGejddbUZsT3fm3Zr2gpGxAi=zwp z5skFe(L~Z)Ll3yl2>G9-eDImi30PRLAj!ALFVRYOm{k{5+|RM-nrfZLOU>OjC!hiw z#5I0`sWVkk(LA|21OmG^33}idlgHc{U;?mzh}V~`_9Q$-AIz&Y`R7jt4w<3gvk{iZ zrJg-ouRuH28Y>m3%(uGpX7lbp@)If}QDaWfOMK1|ki^7njLDv;KZy5k%z~fv@-auu zCt|&0@nUhSr$)HU(Ib8KQe}lX86a-Yl4f>xX9uy-rk+9;PuKQu!g$oZ)osRadV~cT zS>tuxZmE<(b>eQ*V>tqT7nTqKEuA8v$h>~e30__~MV!gPFz{nO_SF9paboEmgJA7) z{Q{sG2@tWT4o{8E17_e|5CEdTwKkT)`N-yL-2vTiA-9p(u(LI*yF*{74R3}ViNKbw zcdkrriwHo}?L6mZk;*Q*k6cp!s1L^Or?J$erG}B9QVOeMDxk!FSzS2_$!dYl znkfg46y%-au%{k|T2ss&{-00is|_v;DxGobdN9?pK(+t? literal 0 HcmV?d00001