diff options
author | Erik Arvstedt <erik.arvstedt@gmail.com> | 2021-10-20 21:57:40 +0200 |
---|---|---|
committer | Erik Arvstedt <erik.arvstedt@gmail.com> | 2021-11-01 14:27:59 +0100 |
commit | 6b7aa566ef292ef162e9f29dbd059fb74f761df5 (patch) | |
tree | 20f8ab89d6119ccd804ed13df79e035d181277ee /pkgs/applications/blockchains/electrs | |
parent | 806535d54f4cbfa5222b8b4eba55f99fc7a6d8c0 (diff) |
electrs/update.sh: ensure tag is checked out
Cloning a tag-named branch introduced a supply chain attack vector, because branch and tag contents might differ. Now the hashed worktree always corresponds to the tag that is GPG-verified.
Diffstat (limited to 'pkgs/applications/blockchains/electrs')
-rwxr-xr-x | pkgs/applications/blockchains/electrs/update.sh | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/pkgs/applications/blockchains/electrs/update.sh b/pkgs/applications/blockchains/electrs/update.sh index 3e4d90db59de1..14105d71a448a 100755 --- a/pkgs/applications/blockchains/electrs/update.sh +++ b/pkgs/applications/blockchains/electrs/update.sh @@ -21,6 +21,7 @@ repo=$tmpdir/repo trap "rm -rf $tmpdir" EXIT git clone --depth 1 --branch v${version} -c advice.detachedHead=false https://github.com/romanz/electrs $repo +git -C $repo checkout tags/v${version} export GNUPGHOME=$tmpdir echo |