nix-bitcoin/helper/fetch-release
Erik Arvstedt b49c74545f
fetch-release: make GPG key searchable
The non-spaced version gives no matches in major search engines.
This is useful for auditing this script.
2021-09-14 19:56:35 +02:00

43 lines
1.2 KiB
Plaintext
Executable File

#!/usr/bin/env nix-shell
#!nix-shell -i bash -p bash coreutils curl jq gnupg
set -euo pipefail
scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)
repo=fort-nix/nix-bitcoin
if [[ ! -v version ]]; then
version=$(curl -s --show-error "https://api.github.com/repos/$repo/releases/latest" | jq -r '.tag_name' | tail -c +2)
fi
TMPDIR=$(mktemp -d)
trap "rm -rf $TMPDIR" EXIT
GPG_HOME=$TMPDIR/gpg-home
mkdir -p -m 700 "$GPG_HOME"
# Import key
gpg --homedir $GPG_HOME --import "$scriptDir/key-jonasnick.bin" &> /dev/null
# Verify key fingerprint
gpg --homedir $GPG_HOME --list-keys "36C7 1A37 C9D9 88BD E825 08D9 B1A7 0E4F 8DCD 0366" > /dev/null
# Fetch nar-hash of release
cd $TMPDIR
baseUrl=https://github.com/$repo/releases/download/v$version
curl -s --show-error -L -O $baseUrl/nar-hash.txt
curl -s --show-error -L -O $baseUrl/nar-hash.txt.asc
# Verify signature for nar-hash
gpg --homedir $GPG_HOME --verify nar-hash.txt.asc &> /dev/null || {
>&2 echo "Error: Signature verification failed. Please open an issue in the project repository."
exit 1
}
>&2 echo "Fetched and verified release $version"
cat <<EOF
builtins.fetchTarball {
url = "https://github.com/$repo/archive/v$version.tar.gz";
sha256 = "$(cat nar-hash.txt)";
}
EOF