Get electrs source tarball with gpg verified sha256 and corresponding helper script

move script to pkg dir, add hint to script in pkg def remove unneeded script deps add extended bash error checking rename DIR -> TMPDIR remove TMPDIR on exit strip whitespace, simplify comments gpg2 -> gpg latesttagelectrs -> latest tmpdir: don't use XDG_RUNTIME_DIR XDG_RUNTIME_DIR is often in RAM and shouldn't be used for larger workloads like repo downlaods verify fingerprint of the imported key remove trailing '-' in output simplify output Hide --fetch-key output Output is not relevant to user, looks better without it More accurately describe ./get-sha256 function User might think that ./get-sha256 automatically updates sha256 in default.nix Fetch key from sks keyservers instead of keybase.io Using --recv-key simplifies getting the right key, and only the right key, greatly. I try to refrain from using sks keyservers, but the certificate spamming attack shouldn't be an issue in this case because we create a temporary keychain just for the verificaiton. remove unneeded cargoDepsHook Make clang nativeBuildInput instead of buildInput
2020-04-14 11:04:03 +02:00 · 2020-04-14 11:04:03 +02:00 · 1acb22a872
parent 707b06aed1
commit 1acb22a872
2 changed files with 30 additions and 7 deletions
--- a/pkgs/electrs/default.nix
+++ b/pkgs/electrs/default.nix
@ -1,17 +1,16 @@
-{ lib, rustPlatform, clang, llvmPackages, fetchFromGitHub, pkgs }:
+{ lib, rustPlatform, llvmPackages, fetchurl, pkgs }:
 rustPlatform.buildRustPackage rec {
  pname = "electrs";
  version = "0.8.3";

-  src = fetchFromGitHub {
-    owner = "romanz";
-    repo = "electrs";
-    rev = "v${version}";
-    sha256 = "01993iv3kkf56s5x33gvk433zjwvqlfxa5vqrjl4ghr4i303ysc2";
+  src = fetchurl {
+    url = "https://github.com/romanz/electrs/archive/v${version}.tar.gz";
+    # Use ./get-sha256.sh to fetch latest (verified) sha256
+    sha256 = "6a00226907a0c36b10884e7dd9f87eb58123f089977a752b917d166af072ea3d";
  };

  # Needed for librocksdb-sys
-  buildInputs = [ clang ];
+  nativeBuildInputs = [ llvmPackages.clang ];
  LIBCLANG_PATH = "${llvmPackages.libclang}/lib";

  cargoSha256 = if pkgs ? cargo-vendor then
--- a/pkgs/electrs/get-sha256.sh
+++ b/pkgs/electrs/get-sha256.sh
@ -0,0 +1,24 @@
+#! /usr/bin/env nix-shell
+#! nix-shell -i bash -p git gnupg
+set -euo pipefail
+
+TMPDIR="$(mktemp -d -p /tmp)"
+trap "rm -rf $TMPDIR" EXIT
+cd $TMPDIR
+
+echo "Fetching latest release"
+git clone https://github.com/romanz/electrs 2> /dev/null
+cd electrs
+latest=$(git describe --tags `git rev-list --tags --max-count=1`)
+echo "Latest release is ${latest}"
+
+# GPG verification
+export GNUPGHOME=$TMPDIR
+echo "Fetching Roman Zeyde's Key"
+gpg --keyserver hkps://hkps.pool.sks-keyservers.net --recv-keys 15c8c3574ae4f1e25f3f35c587cae5fa46917cbb 2> /dev/null
+echo "Verifying latest release"
+git verify-tag ${latest}
+
+echo "tag: ${latest}"
+# The prefix option is necessary because GitHub prefixes the archive contents in this format
+echo "sha256: $(git archive --format tar.gz --prefix=electrs-"${latest//v}"/ ${latest} | sha256sum | cut -d\  -f1)"