nix-bitcoin/helper/fetch-release

#!/usr/bin/env nix-shell
#!nix-shell -i bash -p bash coreutils curl jq gnupg gnugrep
set -euo pipefail

scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)

trap 'echo "Error at ${BASH_SOURCE[0]}, line $LINENO"' ERR

repo=fort-nix/nix-bitcoin
if [[ ! -v version ]]; then
    version=$(curl -fsS "https://api.github.com/repos/$repo/releases/latest" | jq -r '.tag_name' | tail -c +2)
fi

TMPDIR=$(mktemp -d)
trap 'rm -rf $TMPDIR' EXIT

export GNUPGHOME=$TMPDIR/gpg-home
mkdir -m 700 "$GNUPGHOME"

# Import key
gpg --import "$scriptDir/key-jonasnick.bin" &> /dev/null
# Check that exactly one key was imported
(($(gpg --list-keys --with-colons | grep -c pub) == 1))
# Verify key fingerprint
gpg --list-keys "36C7 1A37 C9D9 88BD E825 08D9 B1A7 0E4F 8DCD 0366" > /dev/null

# Fetch nar-hash of release
cd "$TMPDIR"
baseUrl=https://github.com/$repo/releases/download/v$version
curl -fsS -L -O "$baseUrl/nar-hash.txt"
curl -fsS -L -O "$baseUrl/nar-hash.txt.asc"

# Verify signature for nar-hash
gpg --verify nar-hash.txt.asc &> /dev/null || {
    >&2 echo "Error: Signature verification failed. Please open an issue in the project repository."
    exit 1
}

>&2 echo "Fetched and verified release $version"

cat <<EOF
builtins.fetchTarball {
  url = "https://github.com/$repo/archive/v$version.tar.gz";
  sha256 = "$(cat nar-hash.txt)";
}
EOF