Get electrs source tarball with gpg verified sha256 and corresponding…

… helper script move script to pkg dir, add hint to script in pkg def remove unneeded script deps add extended bash error checking rename DIR -> TMPDIR remove TMPDIR on exit strip whitespace, simplify comments gpg2 -> gpg latesttagelectrs -> latest tmpdir: don't use XDG_RUNTIME_DIR XDG_RUNTIME_DIR is often in RAM and shouldn't be used for larger workloads like repo downlaods verify fingerprint of the imported key remove trailing '-' in output simplify output Hide --fetch-key output Output is not relevant to user, looks better without it More accurately describe ./get-sha256 function User might think that ./get-sha256 automatically updates sha256 in default.nix Fetch key from sks keyservers instead of keybase.io Using --recv-key simplifies getting the right key, and only the right key, greatly. I try to refrain from using sks keyservers, but the certificate spamming attack shouldn't be an issue in this case because we create a temporary keychain just for the verificaiton. remove unneeded cargoDepsHook Make clang nativeBuildInput instead of buildInput
fort-nix · Apr 26, 2020 · 1acb22a · 1acb22a
1 parent 707b06a
commit 1acb22a
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 7 deletions.
diff --git a/pkgs/electrs/default.nix b/pkgs/electrs/default.nix
@@ -1,17 +1,16 @@
-{ lib, rustPlatform, clang, llvmPackages, fetchFromGitHub, pkgs }:
+{ lib, rustPlatform, llvmPackages, fetchurl, pkgs }:
 rustPlatform.buildRustPackage rec {
   pname = "electrs";
   version = "0.8.3";
 
-  src = fetchFromGitHub {
-    owner = "romanz";
-    repo = "electrs";
-    rev = "v${version}";
-    sha256 = "01993iv3kkf56s5x33gvk433zjwvqlfxa5vqrjl4ghr4i303ysc2";
+  src = fetchurl {
+    url = "https://github.com/romanz/electrs/archive/v${version}.tar.gz";
+    # Use ./get-sha256.sh to fetch latest (verified) sha256
+    sha256 = "6a00226907a0c36b10884e7dd9f87eb58123f089977a752b917d166af072ea3d";
   };
 
   # Needed for librocksdb-sys
-  buildInputs = [ clang ];
+  nativeBuildInputs = [ llvmPackages.clang ];
   LIBCLANG_PATH = "${llvmPackages.libclang}/lib";
 
   cargoSha256 = if pkgs ? cargo-vendor then

diff --git a/pkgs/electrs/get-sha256.sh b/pkgs/electrs/get-sha256.sh
@@ -0,0 +1,24 @@
+#! /usr/bin/env nix-shell
+#! nix-shell -i bash -p git gnupg
+set -euo pipefail
+
+TMPDIR="$(mktemp -d -p /tmp)"
+trap "rm -rf $TMPDIR" EXIT
+cd $TMPDIR
+
+echo "Fetching latest release"
+git clone https://github.com/romanz/electrs 2> /dev/null
+cd electrs
+latest=$(git describe --tags `git rev-list --tags --max-count=1`)
+echo "Latest release is ${latest}"
+
+# GPG verification
+export GNUPGHOME=$TMPDIR
+echo "Fetching Roman Zeyde's Key"
+gpg --keyserver hkps://hkps.pool.sks-keyservers.net --recv-keys 15c8c3574ae4f1e25f3f35c587cae5fa46917cbb 2> /dev/null
+echo "Verifying latest release"
+git verify-tag ${latest}
+
+echo "tag: ${latest}"
+# The prefix option is necessary because GitHub prefixes the archive contents in this format
+echo "sha256: $(git archive --format tar.gz --prefix=electrs-"${latest//v}"/ ${latest} | sha256sum | cut -d\  -f1)"