From fb17c99e35e72f3b21ec3b5473e84c21dc964776 Mon Sep 17 00:00:00 2001 From: Andrew Chow Date: Fri, 6 Aug 2021 16:11:22 -0400 Subject: [PATCH 1/2] guix: Don't include directory name in SHA256SUMS The SHA256SUMS file can be used in a sha256sum -c command to verify downloaded binaries. However users are likely to download just a single file and not place this file in the correct directory relative to the SHA256SUMS file for the simple verification command to work. By not including the directory name in the SHA256SUMS file, it will be easier for users to verify downloaded binaries. Co-authored-by: Carl Dong --- contrib/guix/guix-attest | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/contrib/guix/guix-attest b/contrib/guix/guix-attest index 1503c330b2f..6e12cbead73 100755 --- a/contrib/guix/guix-attest +++ b/contrib/guix/guix-attest @@ -162,6 +162,18 @@ EOF echo "Attesting to build outputs for version: '${VERSION}'" echo "" +# Given a SHA256SUMS file as stdin that has lines like: +# 0ba536819b221a91d3d42e978be016aac918f40984754d74058aa0c921cd3ea6 a/b/d/c/d/s/bitcoin-22.0rc2-riscv64-linux-gnu.tar.gz +# ... +# +# Replace each line's file name with its basename: +# 0ba536819b221a91d3d42e978be016aac918f40984754d74058aa0c921cd3ea6 bitcoin-22.0rc2-riscv64-linux-gnu.tar.gz +# ... +# +basenameify_SHA256SUMS() { + sed -E 's@(^[[:xdigit:]]{64}[[:space:]]+).+/([^/]+$)@\1\2@' +} + outsigdir="$GUIX_SIGS_REPO/$VERSION/$signer_name" mkdir -p "$outsigdir" ( @@ -174,6 +186,7 @@ mkdir -p "$outsigdir" cat "${noncodesigned_fragments[@]}" \ | sort -u \ | sort -k2 \ + | basenameify_SHA256SUMS \ > "$temp_noncodesigned" if [ -e noncodesigned.SHA256SUMS ]; then # The SHA256SUMS already exists, make sure it's exactly what we @@ -201,6 +214,7 @@ mkdir -p "$outsigdir" cat "${sha256sum_fragments[@]}" \ | sort -u \ | sort -k2 \ + | basenameify_SHA256SUMS \ > "$temp_all" if [ -e all.SHA256SUMS ]; then # The SHA256SUMS already exists, make sure it's exactly what we From 132cae44f2d031bdaa1e459b92ec89ad585dfc9f Mon Sep 17 00:00:00 2001 From: Andrew Chow Date: Tue, 10 Aug 2021 15:22:30 -0400 Subject: [PATCH 2/2] doc: Mention the flat directory structure for uploads The uploaded binaries need to match the same flat directory structure of the SHA256SUMS file in order for torrent downloaders to be able to verify the download without moving files. Mention this in the release process doc. --- doc/release-process.md | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/doc/release-process.md b/doc/release-process.md index 1b6472e812f..3e4748b7421 100644 --- a/doc/release-process.md +++ b/doc/release-process.md @@ -206,10 +206,15 @@ cat "$VERSION"/*/all.SHA256SUMS.asc > SHA256SUMS.asc ``` -- Upload to the bitcoincore.org server (`/var/www/bin/bitcoin-core-${VERSION}`): - 1. The contents of `./bitcoin/guix-build-${VERSION}/output`, except for +- Upload to the bitcoincore.org server (`/var/www/bin/bitcoin-core-${VERSION}/`): + 1. The contents of each `./bitcoin/guix-build-${VERSION}/output/${HOST}/` directory, except for `*-debug*` files. + Guix will output all of the results into host subdirectories, but the SHA256SUMS + file does not include these subdirectories. In order for downloads via torrent + to verify without directory structure modification, all of the uploaded files + need to be in the same directory as the SHA256SUMS file. + The `*-debug*` files generated by the guix build contain debug symbols for troubleshooting by developers. It is assumed that anyone that is interested in debugging can run guix to generate the files for @@ -217,6 +222,10 @@ cat "$VERSION"/*/all.SHA256SUMS.asc > SHA256SUMS.asc as save storage space *do not upload these to the bitcoincore.org server, nor put them in the torrent*. + ```sh + find guix-build-${VERSION}/output/ -maxdepth 2 -type f -not -name "SHA256SUMS.part" -and -not -name "*debug*" -exec scp {} user@bitcoincore.org:/var/www/bin/bitcoin-core-${VERSION} \; + ``` + 2. The `SHA256SUMS` file 3. The `SHA256SUMS.asc` combined signature file you just created