24fd1e9bdc
The user's local node configuration directory usually contains a copy of examples/shell.nix. 1. Move the shell implementation from shell.nix to nix-bitcoin/helper/makeShell.nix Because the shell is no longer defined locally in the user's config directory, we can now ship new shell features via nix-bitcoin updates. 2. Simplify examples/nix-bitcoin-release.nix nix-bitcoin-release.nix, as generated via `fetch-release`, now contains a simple fetchTarball statement which can be directly imported. This allows us to get rid of the extra `nix-bitcoin-unpacked` derivation which adds a dependency on the user's local nixpkgs. To keep `fetch-release` as simple as possible for easy auditing, we just fetch and verify a `nar-hash.txt` file that is now uploaded via `push-release.sh`. A migration guide for updating the user's local `shell.nix` is automatically printed when the user starts a new shell after updating nix-bitcoin. This is achieved by throwing an error in `generate-secrets`, which is called on shell startup. This commit is required to deploy the new extensible `generate-secrets` mechanism introduced in the next commit.
43 lines
1.2 KiB
Plaintext
Executable File
43 lines
1.2 KiB
Plaintext
Executable File
#!/usr/bin/env nix-shell
|
|
#!nix-shell -i bash -p bash coreutils curl jq gnupg
|
|
set -euo pipefail
|
|
|
|
scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)
|
|
|
|
repo=fort-nix/nix-bitcoin
|
|
if [[ ! -v version ]]; then
|
|
version=$(curl --silent "https://api.github.com/repos/$repo/releases/latest" | jq -r '.tag_name' | tail -c +2)
|
|
fi
|
|
|
|
TMPDIR=$(mktemp -d)
|
|
trap "rm -rf $TMPDIR" EXIT
|
|
|
|
GPG_HOME=$TMPDIR/gpg-home
|
|
mkdir -p -m 700 "$GPG_HOME"
|
|
|
|
# Import key
|
|
gpg --homedir $GPG_HOME --import "$scriptDir/key-jonasnick.bin" &> /dev/null
|
|
# Verify key fingerprint
|
|
gpg --homedir $GPG_HOME --list-keys 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 > /dev/null
|
|
|
|
# Fetch nar-hash of release
|
|
cd $TMPDIR
|
|
baseUrl=https://github.com/$repo/releases/download/v$version
|
|
curl --silent -L -O $baseUrl/nar-hash.txt
|
|
curl --silent -L -O $baseUrl/nar-hash.txt.asc
|
|
|
|
# Verify signature for nar-hash
|
|
gpg --homedir $GPG_HOME --verify nar-hash.txt.asc &> /dev/null || {
|
|
echo "Error: Signature verification failed. Please open an issue in the project repository."
|
|
exit 1
|
|
}
|
|
|
|
>&2 echo "Fetched and verified release $version"
|
|
|
|
cat <<EOF
|
|
builtins.fetchTarball {
|
|
url = "https://github.com/$repo/archive/v$version.tar.gz";
|
|
sha256 = "$(cat nar-hash.txt)";
|
|
}
|
|
EOF
|