From 67e0540e443706624fff62605f6a632226e95fb4 Mon Sep 17 00:00:00 2001
From: sternenseemann <0rpkxez4ksa01gb3typccl0i@systemli.org>
Date: Tue, 13 Apr 2021 23:30:21 +0200
Subject: pkgs/sternenseemann: add release tarball tooling

The following nix functions allow easily creating derivations for
building a signed releases directory for project(s) to be served via
e. g. HTTP.

* buildGitTarball: builds a reproducible .tar.gz for a given git
  revision or tag (similar to git archive, but we don't actually
  reuse it in favor of fetchgit).
* bundleSignedReleases: symlinks tarballs generated using
  buildGitTarball and accompanying (manually provided) signatures into a
  directory and verifies the signatures to ensure buildGitTarball is
  donig what it's supposed to.
---
 .../bundle-signed-release/default.nix              | 54 ++++++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 pkgs/sternenseemann/bundle-signed-release/default.nix

(limited to 'pkgs/sternenseemann/bundle-signed-release/default.nix')

diff --git a/pkgs/sternenseemann/bundle-signed-release/default.nix b/pkgs/sternenseemann/bundle-signed-release/default.nix
new file mode 100644
index 00000000..5db979b0
--- /dev/null
+++ b/pkgs/sternenseemann/bundle-signed-release/default.nix
@@ -0,0 +1,54 @@
+# Build a directory containing release tarballs and
+# their signatures. Fail if a signature is invalid.
+{ lib
+, getBins
+, signify
+, buildGitTarball
+, runCommandNoCC
+}:
+
+{ # public key to verify against
+  publicKey
+  # directory signature files are located in
+, sigs
+}:
+
+{ # project name:
+  # * tarballs are name ${pname}-${tag}.tar.gz
+  # * signatures are name ${pname}-${tag}.tar.gz.sig
+  pname
+  # information about the git remote to fetch from
+  # must contain an url attribute and may contain
+  # a subDir attribute.
+, git
+  # List of releases which are represented as an
+  # attribute set which contains a sha256 and
+  # either a tag or rev attribute.
+, releases
+}:
+
+let
+  bins = getBins signify [ "signify" ];
+
+  tarballs = builtins.map
+    (args: buildGitTarball (git // args // {
+      inherit pname;
+    })) releases;
+
+  sigFor = tarball: "${sigs}/${tarball.name}.sig";
+in
+
+runCommandNoCC "${pname}-releases" {} (''
+  mkdir -p "$out"
+'' + lib.concatMapStrings (tarball: ''
+  # verify tarball and inform user about what's happening
+  echo -n "${tarball.name}: "
+  ${bins.signify} -V \
+    -p "${publicKey}" \
+    -m "${tarball}" \
+    -x "${sigFor tarball}"
+
+  # succeeded, so copy tarball and signature
+  ln -s "${tarball}" "$out/${tarball.name}"
+  ln -s "${sigFor tarball}" "$out/${baseNameOf (sigFor tarball)}"
+'') tarballs)
-- 
cgit 1.4.1