From 5ed0284db99e6659b8be3065db44648d6660d57c Mon Sep 17 00:00:00 2001 From: Jonas Nick Date: Sun, 22 Mar 2020 16:14:20 +0000 Subject: [PATCH] Add fetch-release script This allows getting the hash of the latest (or some other) release using github releases and gpg verification. --- docs/usage.md | 26 ++++------------------ examples/nix-bitcoin-release.nix | 1 + examples/shell.nix | 19 ++++++++++------ helper/fetch-release | 36 +++++++++++++++++++++++++++++++ helper/key-jonasnick.bin | Bin 0 -> 2811 bytes 5 files changed, 54 insertions(+), 28 deletions(-) create mode 100644 examples/nix-bitcoin-release.nix create mode 100755 helper/fetch-release create mode 100644 helper/key-jonasnick.bin diff --git a/docs/usage.md b/docs/usage.md index 377f5a1..be7675c 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -1,28 +1,10 @@ Updating --- -Run `git pull` in the nix-bitcoin directory, enter the nix shell with `nix-shell` and redeploy with `nixops deploy -d bitcoin-node`. +In your deployment directory, enter the nix shell with `nix-shell` and run -### Verifying GPG Signatures (recommended) -1. Import jonasnick's gpg key - - ``` - gpg2 --receive-key 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 - ``` - -2. Trust jonasnick's gpg key - - ``` - gpg2 --edit-key 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 - trust - 4 - quit - ``` - -3. Verify commit after `git pull` - - ``` - git verify-commit - ``` +``` +fetch-release > nix-bitcoin-release.nix +``` Nodeinfo --- diff --git a/examples/nix-bitcoin-release.nix b/examples/nix-bitcoin-release.nix new file mode 100644 index 0000000..a87522d --- /dev/null +++ b/examples/nix-bitcoin-release.nix @@ -0,0 +1 @@ +../. diff --git a/examples/shell.nix b/examples/shell.nix index 3f0c7c9..2298134 100644 --- a/examples/shell.nix +++ b/examples/shell.nix @@ -1,10 +1,12 @@ let - # TODO: - # nix-bitcoin-path = builtins.fetchTarball { - # url = "https://github.com/fort-nix/nix-bitcoin/archive/master.tar.gz"; - # sha256 = "1mlvfakjgbl67k4k9mgafp5gvi2gb2p57xwxwffqr4chx8g848n7"; - # }; - nix-bitcoin-path = ../.; + # This is either a path to a local nix-bitcoin source or an attribute set to + # be used as the fetchurl argument. + nix-bitcoin-release = import ./nix-bitcoin-release.nix; + + nix-bitcoin-path = + if builtins.isAttrs nix-bitcoin-release then nix-bitcoin-unpacked + else nix-bitcoin-release; + nixpkgs-path = (import "${toString nix-bitcoin-path}/pkgs/nixpkgs-pinned.nix").nixpkgs; nixpkgs = import nixpkgs-path {}; nix-bitcoin = nixpkgs.callPackage nix-bitcoin-path {}; @@ -13,6 +15,10 @@ let url = "https://github.com/erikarvstedt/extra-container/archive/6cced2c26212cc1c8cc7cac3547660642eb87e71.tar.gz"; sha256 = "0qr41mma2iwxckdhqfabw3vjcbp2ffvshnc3k11kwriwj14b766v"; }) {}; + + nix-bitcoin-unpacked = (import {}).runCommand "nix-bitcoin-src" {} '' + mkdir $out; tar xf ${builtins.fetchurl nix-bitcoin-release} -C $out + ''; in with nixpkgs; @@ -23,6 +29,7 @@ stdenv.mkDerivation rec { shellHook = '' export NIX_PATH="nixpkgs=${nixpkgs-path}:nix-bitcoin=${toString nix-bitcoin-path}:." + alias fetch-release="${toString nix-bitcoin-path}/helper/fetch-release" # ssh-agent and nixops don't play well together (see # https://github.com/NixOS/nixops/issues/256). I'm getting `Received disconnect diff --git a/helper/fetch-release b/helper/fetch-release new file mode 100755 index 0000000..6529386 --- /dev/null +++ b/helper/fetch-release @@ -0,0 +1,36 @@ +#! /usr/bin/env nix-shell +#! nix-shell -i bash -p bash coreutils curl jq gnugrep gnupg +set -euo pipefail + +scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd) + +REPO=fort-nix/nix-bitcoin +if [[ ! -v VERSION ]]; then + VERSION=$(curl --silent "https://api.github.com/repos/$REPO/releases/latest" | jq -r '.tag_name' | tail -c +2) +fi + +TMPDIR=$(mktemp -d) +GPG_HOME=$(mktemp -d) +trap "rm -rf $TMPDIR $GPG_HOME" EXIT + +cd $TMPDIR +BASEURL=https://github.com/$REPO/releases/download/v$VERSION +curl --silent -L -O $BASEURL/SHA256SUMS.txt +curl --silent -L -O $BASEURL/SHA256SUMS.txt.asc + +# Import key and verify fingerprint +gpg --homedir $GPG_HOME --import "$scriptDir/key-jonasnick.bin" &> /dev/null +gpg --homedir $GPG_HOME --list-keys 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 > /dev/null + +gpg --homedir $GPG_HOME --verify SHA256SUMS.txt.asc &> /dev/null || { + echo "ERROR: Signature verification failed. Please open an issue in the project repository." + exit 1 +} + +SHA256=$(cat SHA256SUMS.txt | grep -Eo '^[^ ]+') +cat <fMNZUdtq6Y5tCo+e<05~t76d-g^D~SuI753C5LmbxbeJ{xxD*D zwAEI>DO2~+8GzBR85zQhnsvoetX0Gvj@-rnBV-OjnVRdb;zQ7 zZ2M1Lvpm@FS=??`fJxY=mwCJg_b>`GG~IdDy{=`qijiWD(5cqe;4_@xPpbxBI8?L0DNi_nqA7l4x0KVXKMt za|{F&^tz)Y+xFGEx0Lb}CC_)h7diEySMiFNFQ$SLpC6TITUd1PxXtFDaA?ZMn^$+o zUAk>BJ8TBqg+Kq&_ZIn2QoY6gY%jCg);2&o`vhc^BF3H(+Mj;AqIAn|74px8!@fcd9SD^q#8ugh^qODtCK%S_Hz zu*m|kQ}psOld~Pta}zUj^pf*)?K+w4S%evx7&Murnc2BHIoO$*7}-QQm^it(S;Ux_ z8JXl5nZz4dnWDEUyRdR{J3KqZz{M%BaXFuV?^)(F%QO6cr6YB(ILvx&{BVgw=rgV6 zYn^Ku#IsX%oIf$-q&(KWRdnR)Kh6uUHhtNC=FGxk?n9f(cdyyK@GA4sGk1SnZCbIf zz|y64p`F{pB+;PcEWM+P1GOBom_IU2ma%d(xS%%i#{}g)bKX4OsJ`|8Tq%zao>w*$ zZrK!L-uZCXq+K6$jz3y^srb2oxxIICx%~sTgIkq+q}ao*&D&(u-X-+q#AJ`RZs~@1 z-F8Hzd`wqecfFIFInw&A?>~(?x5La*Yc#bw+vIDd;{KLaoV;2e^RoTf(aY0zlof27 z6xe7O?z#HbB1>i4n;##4|1<4`K(n_8i`&e(zg{qXa+=t%>c|Ct?^!{dOQKSD?yG7@ z{eI4-BE)#>ZTq7iw;$6p1=0c60`EM_AKqPYMY|>-#Qj?hO!=0+oFC=BxTmSYliN{1rC4MGahW& z*sm%r?aAz99=k_S&7o85>Dj64+>Mj|D{wse(CJv`@@vkAKW=X4Jf3QGx|_3@-#n2K z&i~}d`L)Y#Pb}&_yev^}xw-neEQ3ccj#~IXRhVYH$<&+ahC+r+L}IRf-jy${_x|&o zm2aE3X8BGgUY5u}!&Qs|411G8Uftqp34goEG;jNw7r&(^+%bN>c$K2qeGi5??PoVW zxWJ`)->r1n!~HuK$6vc5A;bRunn>Rqzr~pkKWbHcR1h$N+ip}zq>s|KBzgBm+q7-$YhBthFD97))-6^f?h6 zG9{pB0*9W5TB)i@(~+~&zVdCh{I9qFa$VcK;HAco;=X-+lycy!>$(Rgb+Wg|t>)SJ z;t@lD#0=jBnBewKIo=G*ss9?fJ5zwAGEQ!}ez{`orQrVD3c zbv3gExu^M=PmB-U^x(>6%_$Cj>m&G=?Ve&5b~b18jJe@e^WG-^`*dn=#{~Tk#S4lm z;wS36C;@NprusvYV|ap0l*h_8F7%eilXn36m$${QjZ8dkxrb z|NI%ozyInP7SV`R?Pn~4`19^+`giN(3H}K+QzPM%tk zak-y6!o3z=F3RkV{`v5OLaIQ9?#t-~vi65G8$-B1tY=ENoCq#;I$4TXBp5ju)Wj57 z%#KT$pS;ZrEjWf785_uW_1gDaqiEr<;DW>$4m`UEF)yj znyy}O@5(1Tj>4*#T`N8q-SmFH&{!(Tl!t9s;NjK(0(7ko&s=-P_xeq?En+X`nOfOC z%RXz>v&+WGtEF<=J%y5!W|!NmeoshKEoXf7TKn^)A3O%)Qdw7GW#-H*R!Ft2`>gY< zrBP;yL)FRC87oB;4#cWUXsuJ*lQ-*@Pjm2dw;#1R)3)w^v`q6uuiETzn;DhovMRR5 z9DJE8ROYl%C`#${ru_lNQ!8G_w)D0ZbuZ@rA=ta+%0-t;(a!uk&T;&lzqIDV%=4TP z5gQavZa<-a(W`t$sCej|^BZ5x%9?xJ`|Mpa^#x4QM@;LQRvL!}UbNY1#lp1PoU`hI z#N^|5Boml6)OTE;zV@4njjQ~b)uun6`?K-QT=-zK;I!jQ=h;TDcd))Dr7gPR%=TTM z(>}km|0JxX9GL8P!Mo<1;DjSba(YhATVdbvJ?~7@{4bvj-Os2e?M?oeRJeM%+m16A zm21BRrM6m1D&(D?lvY-j&c5;DvUyHo{@1_dAF8;r_iFC3{HhjK$;ij0ck@TlB!t9qGM@`pRksGiYmEjcK^hl z3cmLhD~?YW6?psAQ)ZJ{TJ4NqY?((xmOYeDS#KVwu|iJz@3e`G{{rshoArr2y!Juz z?!_xB!;6}YpKW6n+q!DLv-8Z-L;G%4^XkiQmHKnVg)>R=#mXhWFACN2_dYjh+v%d% zl=SK?@0T|hOs?lWZLe3_Bx917r5W~u@wkm&&z60>cMJ+jivzh0n4ZhXX)g(TGwq!G z-92?;GyiY?cyUX&Ms0E5kDluCiKp~-^~VJLU%`Lu-SUlBmMm?XxFCpYb+XoiBlVH7 zmRu*Z8qdwrWbYGsGWXGj<#KIN!DnRu&G&z?npcnKNqL$1^NUyV&BU~4`#iciN4KMH zhEU?)9)IqQy$xs8`*@q=vpf&WXvIfH?a41Wq;9fC_F?tmR)s@1)3eSP-THlPU-}$@ aHG=Ljwbyn3UeelP>l>7(HMj6}l>q?NvOu-~ literal 0 HcmV?d00001