diff options
Diffstat (limited to 'pkgs/sternenseemann/bundle-signed-release')
-rw-r--r-- | pkgs/sternenseemann/bundle-signed-release/default.nix | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/pkgs/sternenseemann/bundle-signed-release/default.nix b/pkgs/sternenseemann/bundle-signed-release/default.nix new file mode 100644 index 00000000..5db979b0 --- /dev/null +++ b/pkgs/sternenseemann/bundle-signed-release/default.nix @@ -0,0 +1,54 @@ +# Build a directory containing release tarballs and +# their signatures. Fail if a signature is invalid. +{ lib +, getBins +, signify +, buildGitTarball +, runCommandNoCC +}: + +{ # public key to verify against + publicKey + # directory signature files are located in +, sigs +}: + +{ # project name: + # * tarballs are name ${pname}-${tag}.tar.gz + # * signatures are name ${pname}-${tag}.tar.gz.sig + pname + # information about the git remote to fetch from + # must contain an url attribute and may contain + # a subDir attribute. +, git + # List of releases which are represented as an + # attribute set which contains a sha256 and + # either a tag or rev attribute. +, releases +}: + +let + bins = getBins signify [ "signify" ]; + + tarballs = builtins.map + (args: buildGitTarball (git // args // { + inherit pname; + })) releases; + + sigFor = tarball: "${sigs}/${tarball.name}.sig"; +in + +runCommandNoCC "${pname}-releases" {} ('' + mkdir -p "$out" +'' + lib.concatMapStrings (tarball: '' + # verify tarball and inform user about what's happening + echo -n "${tarball.name}: " + ${bins.signify} -V \ + -p "${publicKey}" \ + -m "${tarball}" \ + -x "${sigFor tarball}" + + # succeeded, so copy tarball and signature + ln -s "${tarball}" "$out/${tarball.name}" + ln -s "${sigFor tarball}" "$out/${baseNameOf (sigFor tarball)}" +'') tarballs) |