diff options
| author | sternenseemann <0rpkxez4ksa01gb3typccl0i@systemli.org> | 2021-04-13 23:30:21 +0200 |
|---|---|---|
| committer | sternenseemann <0rpkxez4ksa01gb3typccl0i@systemli.org> | 2021-04-13 23:30:21 +0200 |
| commit | 67e0540e443706624fff62605f6a632226e95fb4 (patch) | |
| tree | ecd6554f5aadaba1705e28006c370aa5db55682f /pkgs/sternenseemann/bundle-signed-release/default.nix | |
| parent | aeb3813d405eb77e804b350e9f51c88dd4e464c2 (diff) | |
pkgs/sternenseemann: add release tarball tooling
The following nix functions allow easily creating derivations for building a signed releases directory for project(s) to be served via e. g. HTTP. * buildGitTarball: builds a reproducible .tar.gz for a given git revision or tag (similar to git archive, but we don't actually reuse it in favor of fetchgit). * bundleSignedReleases: symlinks tarballs generated using buildGitTarball and accompanying (manually provided) signatures into a directory and verifies the signatures to ensure buildGitTarball is donig what it's supposed to.
Diffstat (limited to 'pkgs/sternenseemann/bundle-signed-release/default.nix')
| -rw-r--r-- | pkgs/sternenseemann/bundle-signed-release/default.nix | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/pkgs/sternenseemann/bundle-signed-release/default.nix b/pkgs/sternenseemann/bundle-signed-release/default.nix new file mode 100644 index 00000000..5db979b0 --- /dev/null +++ b/pkgs/sternenseemann/bundle-signed-release/default.nix @@ -0,0 +1,54 @@ +# Build a directory containing release tarballs and +# their signatures. Fail if a signature is invalid. +{ lib +, getBins +, signify +, buildGitTarball +, runCommandNoCC +}: + +{ # public key to verify against + publicKey + # directory signature files are located in +, sigs +}: + +{ # project name: + # * tarballs are name ${pname}-${tag}.tar.gz + # * signatures are name ${pname}-${tag}.tar.gz.sig + pname + # information about the git remote to fetch from + # must contain an url attribute and may contain + # a subDir attribute. +, git + # List of releases which are represented as an + # attribute set which contains a sha256 and + # either a tag or rev attribute. +, releases +}: + +let + bins = getBins signify [ "signify" ]; + + tarballs = builtins.map + (args: buildGitTarball (git // args // { + inherit pname; + })) releases; + + sigFor = tarball: "${sigs}/${tarball.name}.sig"; +in + +runCommandNoCC "${pname}-releases" {} ('' + mkdir -p "$out" +'' + lib.concatMapStrings (tarball: '' + # verify tarball and inform user about what's happening + echo -n "${tarball.name}: " + ${bins.signify} -V \ + -p "${publicKey}" \ + -m "${tarball}" \ + -x "${sigFor tarball}" + + # succeeded, so copy tarball and signature + ln -s "${tarball}" "$out/${tarball.name}" + ln -s "${sigFor tarball}" "$out/${baseNameOf (sigFor tarball)}" +'') tarballs) |