aiolabs/nix-bitcoin
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions

improve examples/shell.nix

Browse source 
The user's local node configuration directory usually contains a copy of
examples/shell.nix.

1. Move the shell implementation from shell.nix to nix-bitcoin/helper/makeShell.nix
   Because the shell is no longer defined locally in the user's config
   directory, we can now ship new shell features via nix-bitcoin updates.

2. Simplify examples/nix-bitcoin-release.nix
   nix-bitcoin-release.nix, as generated via `fetch-release`, now
   contains a simple fetchTarball statement which can be directly imported.
   This allows us to get rid of the extra `nix-bitcoin-unpacked` derivation
   which adds a dependency on the user's local nixpkgs.

   To keep `fetch-release` as simple as possible for easy auditing, we just
   fetch and verify a `nar-hash.txt` file that is now uploaded
   via `push-release.sh`.

A migration guide for updating the user's local `shell.nix` is
automatically printed when the user starts a new shell after updating
nix-bitcoin.
This is achieved by throwing an error in `generate-secrets`, which is called
on shell startup.

This commit is required to deploy the new extensible `generate-secrets`
mechanism introduced in the next commit.
This commit is contained in:
Erik Arvstedt 2021-09-08 17:01:17 +02:00
parent 8a757e0486
commit 24fd1e9bdc
No known key found for this signature in database
GPG key ID: 33312B944DD97846
7 changed files with 86 additions and 64 deletions
Download patch file Download diff file Expand all files Collapse all files

24
helper/fetch-release
View file

@ -15,26 +15,28 @@ trap "rm -rf $TMPDIR" EXIT
GPG_HOME=$TMPDIR/gpg-home
mkdir -p -m 700 "$GPG_HOME"
cd $TMPDIR
baseUrl=https://github.com/$repo/releases/download/v$version
curl --silent -L -O $baseUrl/SHA256SUMS.txt
curl --silent -L -O $baseUrl/SHA256SUMS.txt.asc
# Import key
gpg --homedir $GPG_HOME --import "$scriptDir/key-jonasnick.bin" &> /dev/null
# Verify key fingerprint
gpg --homedir $GPG_HOME --list-keys 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 > /dev/null
# Verify signature for SHA256SUMS.txt
gpg --homedir $GPG_HOME --verify SHA256SUMS.txt.asc &> /dev/null || {
# Fetch nar-hash of release
cd $TMPDIR
baseUrl=https://github.com/$repo/releases/download/v$version
curl --silent -L -O $baseUrl/nar-hash.txt
curl --silent -L -O $baseUrl/nar-hash.txt.asc
# Verify signature for nar-hash
gpg --homedir $GPG_HOME --verify nar-hash.txt.asc &> /dev/null || {
echo "Error: Signature verification failed. Please open an issue in the project repository."
exit 1
}
sha256=$(cat SHA256SUMS.txt | cut -d\ -f1)
>&2 echo "Fetched and verified release $version"
cat <<EOF
{
url = "$baseUrl/nix-bitcoin-$version.tar.gz";
sha256 = "$sha256";
builtins.fetchTarball {
url = "https://github.com/$repo/archive/v$version.tar.gz";
sha256 = "$(cat nar-hash.txt)";
}
EOF