mirror of
https://github.com/fort-nix/nix-bitcoin.git
synced 2024-11-22 22:33:46 +03:00
Add fetch-release script
This allows getting the hash of the latest (or some other) release using github releases and gpg verification.
This commit is contained in:
parent
c303cd47e4
commit
5ed0284db9
@ -1,28 +1,10 @@
|
|||||||
Updating
|
Updating
|
||||||
---
|
---
|
||||||
Run `git pull` in the nix-bitcoin directory, enter the nix shell with `nix-shell` and redeploy with `nixops deploy -d bitcoin-node`.
|
In your deployment directory, enter the nix shell with `nix-shell` and run
|
||||||
|
|
||||||
### Verifying GPG Signatures (recommended)
|
```
|
||||||
1. Import jonasnick's gpg key
|
fetch-release > nix-bitcoin-release.nix
|
||||||
|
```
|
||||||
```
|
|
||||||
gpg2 --receive-key 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366
|
|
||||||
```
|
|
||||||
|
|
||||||
2. Trust jonasnick's gpg key
|
|
||||||
|
|
||||||
```
|
|
||||||
gpg2 --edit-key 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366
|
|
||||||
trust
|
|
||||||
4
|
|
||||||
quit
|
|
||||||
```
|
|
||||||
|
|
||||||
3. Verify commit after `git pull`
|
|
||||||
|
|
||||||
```
|
|
||||||
git verify-commit <hash of latest commit>
|
|
||||||
```
|
|
||||||
|
|
||||||
Nodeinfo
|
Nodeinfo
|
||||||
---
|
---
|
||||||
|
1
examples/nix-bitcoin-release.nix
Normal file
1
examples/nix-bitcoin-release.nix
Normal file
@ -0,0 +1 @@
|
|||||||
|
../.
|
@ -1,10 +1,12 @@
|
|||||||
let
|
let
|
||||||
# TODO:
|
# This is either a path to a local nix-bitcoin source or an attribute set to
|
||||||
# nix-bitcoin-path = builtins.fetchTarball {
|
# be used as the fetchurl argument.
|
||||||
# url = "https://github.com/fort-nix/nix-bitcoin/archive/master.tar.gz";
|
nix-bitcoin-release = import ./nix-bitcoin-release.nix;
|
||||||
# sha256 = "1mlvfakjgbl67k4k9mgafp5gvi2gb2p57xwxwffqr4chx8g848n7";
|
|
||||||
# };
|
nix-bitcoin-path =
|
||||||
nix-bitcoin-path = ../.;
|
if builtins.isAttrs nix-bitcoin-release then nix-bitcoin-unpacked
|
||||||
|
else nix-bitcoin-release;
|
||||||
|
|
||||||
nixpkgs-path = (import "${toString nix-bitcoin-path}/pkgs/nixpkgs-pinned.nix").nixpkgs;
|
nixpkgs-path = (import "${toString nix-bitcoin-path}/pkgs/nixpkgs-pinned.nix").nixpkgs;
|
||||||
nixpkgs = import nixpkgs-path {};
|
nixpkgs = import nixpkgs-path {};
|
||||||
nix-bitcoin = nixpkgs.callPackage nix-bitcoin-path {};
|
nix-bitcoin = nixpkgs.callPackage nix-bitcoin-path {};
|
||||||
@ -13,6 +15,10 @@ let
|
|||||||
url = "https://github.com/erikarvstedt/extra-container/archive/6cced2c26212cc1c8cc7cac3547660642eb87e71.tar.gz";
|
url = "https://github.com/erikarvstedt/extra-container/archive/6cced2c26212cc1c8cc7cac3547660642eb87e71.tar.gz";
|
||||||
sha256 = "0qr41mma2iwxckdhqfabw3vjcbp2ffvshnc3k11kwriwj14b766v";
|
sha256 = "0qr41mma2iwxckdhqfabw3vjcbp2ffvshnc3k11kwriwj14b766v";
|
||||||
}) {};
|
}) {};
|
||||||
|
|
||||||
|
nix-bitcoin-unpacked = (import <nixpkgs> {}).runCommand "nix-bitcoin-src" {} ''
|
||||||
|
mkdir $out; tar xf ${builtins.fetchurl nix-bitcoin-release} -C $out
|
||||||
|
'';
|
||||||
in
|
in
|
||||||
with nixpkgs;
|
with nixpkgs;
|
||||||
|
|
||||||
@ -23,6 +29,7 @@ stdenv.mkDerivation rec {
|
|||||||
|
|
||||||
shellHook = ''
|
shellHook = ''
|
||||||
export NIX_PATH="nixpkgs=${nixpkgs-path}:nix-bitcoin=${toString nix-bitcoin-path}:."
|
export NIX_PATH="nixpkgs=${nixpkgs-path}:nix-bitcoin=${toString nix-bitcoin-path}:."
|
||||||
|
alias fetch-release="${toString nix-bitcoin-path}/helper/fetch-release"
|
||||||
|
|
||||||
# ssh-agent and nixops don't play well together (see
|
# ssh-agent and nixops don't play well together (see
|
||||||
# https://github.com/NixOS/nixops/issues/256). I'm getting `Received disconnect
|
# https://github.com/NixOS/nixops/issues/256). I'm getting `Received disconnect
|
||||||
|
36
helper/fetch-release
Executable file
36
helper/fetch-release
Executable file
@ -0,0 +1,36 @@
|
|||||||
|
#! /usr/bin/env nix-shell
|
||||||
|
#! nix-shell -i bash -p bash coreutils curl jq gnugrep gnupg
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)
|
||||||
|
|
||||||
|
REPO=fort-nix/nix-bitcoin
|
||||||
|
if [[ ! -v VERSION ]]; then
|
||||||
|
VERSION=$(curl --silent "https://api.github.com/repos/$REPO/releases/latest" | jq -r '.tag_name' | tail -c +2)
|
||||||
|
fi
|
||||||
|
|
||||||
|
TMPDIR=$(mktemp -d)
|
||||||
|
GPG_HOME=$(mktemp -d)
|
||||||
|
trap "rm -rf $TMPDIR $GPG_HOME" EXIT
|
||||||
|
|
||||||
|
cd $TMPDIR
|
||||||
|
BASEURL=https://github.com/$REPO/releases/download/v$VERSION
|
||||||
|
curl --silent -L -O $BASEURL/SHA256SUMS.txt
|
||||||
|
curl --silent -L -O $BASEURL/SHA256SUMS.txt.asc
|
||||||
|
|
||||||
|
# Import key and verify fingerprint
|
||||||
|
gpg --homedir $GPG_HOME --import "$scriptDir/key-jonasnick.bin" &> /dev/null
|
||||||
|
gpg --homedir $GPG_HOME --list-keys 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 > /dev/null
|
||||||
|
|
||||||
|
gpg --homedir $GPG_HOME --verify SHA256SUMS.txt.asc &> /dev/null || {
|
||||||
|
echo "ERROR: Signature verification failed. Please open an issue in the project repository."
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
SHA256=$(cat SHA256SUMS.txt | grep -Eo '^[^ ]+')
|
||||||
|
cat <<EOF
|
||||||
|
{
|
||||||
|
url = "$BASEURL/nix-bitcoin-$VERSION.tar.gz";
|
||||||
|
sha256 = "$SHA256";
|
||||||
|
}
|
||||||
|
EOF
|
BIN
helper/key-jonasnick.bin
Normal file
BIN
helper/key-jonasnick.bin
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user