greg/nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Get electrs source tarball with gpg verified sha256 and corresponding helper script

Browse Source 
move script to pkg dir, add hint to script in pkg def

remove unneeded script deps

add extended bash error checking

rename DIR -> TMPDIR

remove TMPDIR on exit

strip whitespace, simplify comments

gpg2 -> gpg

latesttagelectrs -> latest

tmpdir: don't use XDG_RUNTIME_DIR

XDG_RUNTIME_DIR is often in RAM and shouldn't be used for larger
workloads like repo downlaods

verify fingerprint of the imported key

remove trailing '-' in output

simplify output

Hide --fetch-key output

Output is not relevant to user, looks better without it

More accurately describe ./get-sha256 function

User might think that ./get-sha256 automatically updates sha256 in default.nix

Fetch key from sks keyservers instead of keybase.io

Using --recv-key simplifies getting the right key, and only the
right key, greatly. I try to refrain from using sks keyservers,
but the certificate spamming attack shouldn't be an issue in this
case because we create a temporary keychain just for the
verificaiton.

remove unneeded cargoDepsHook

Make clang nativeBuildInput instead of buildInput
This commit is contained in:
nixbitcoin 2020-04-14 11:04:03 +02:00
parent 707b06aed1
commit 1acb22a872
No known key found for this signature in database
GPG Key ID: DD11F9AD5308B3BA
2 changed files with 30 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
pkgs/electrs/default.nix
View File

@ -1,17 +1,16 @@
{ lib, rustPlatform, clang, llvmPackages, fetchFromGitHub, pkgs }: { lib, rustPlatform, llvmPackages, fetchurl, pkgs }:
rustPlatform.buildRustPackage rec { rustPlatform.buildRustPackage rec {
pname = "electrs"; pname = "electrs";
version = "0.8.3"; version = "0.8.3";
src = fetchFromGitHub { src = fetchurl {
owner = "romanz"; url = "https://github.com/romanz/electrs/archive/v${version}.tar.gz";
repo = "electrs"; # Use ./get-sha256.sh to fetch latest (verified) sha256
rev = "v${version}"; sha256 = "6a00226907a0c36b10884e7dd9f87eb58123f089977a752b917d166af072ea3d";
sha256 = "01993iv3kkf56s5x33gvk433zjwvqlfxa5vqrjl4ghr4i303ysc2";
}; };
# Needed for librocksdb-sys # Needed for librocksdb-sys
buildInputs = [ clang ]; nativeBuildInputs = [ llvmPackages.clang ];
LIBCLANG_PATH = "${llvmPackages.libclang}/lib"; LIBCLANG_PATH = "${llvmPackages.libclang}/lib";
cargoSha256 = if pkgs ? cargo-vendor then cargoSha256 = if pkgs ? cargo-vendor then

24
pkgs/electrs/get-sha256.sh Executable file
View File

@ -0,0 +1,24 @@
#! /usr/bin/env nix-shell
#! nix-shell -i bash -p git gnupg
set -euo pipefail
TMPDIR="$(mktemp -d -p /tmp)"
trap "rm -rf $TMPDIR" EXIT
cd $TMPDIR
echo "Fetching latest release"
git clone https://github.com/romanz/electrs 2> /dev/null
cd electrs
latest=$(git describe --tags `git rev-list --tags --max-count=1`)
echo "Latest release is ${latest}"
# GPG verification
export GNUPGHOME=$TMPDIR
echo "Fetching Roman Zeyde's Key"
gpg --keyserver hkps://hkps.pool.sks-keyservers.net --recv-keys 15c8c3574ae4f1e25f3f35c587cae5fa46917cbb 2> /dev/null
echo "Verifying latest release"
git verify-tag ${latest}
echo "tag: ${latest}"
# The prefix option is necessary because GitHub prefixes the archive contents in this format
echo "sha256: $(git archive --format tar.gz --prefix=electrs-"${latest//v}"/ ${latest} | sha256sum | cut -d\ -f1)"