Pin packages

Verifying signatures is not that great because when the keys expire the build is broken. We instead pin the packages while still being able to verify when the pin is updated. This already has some keys expired so the pins are added here.
debian-cryptoanarchy · Dec 18, 2023 · 63ded47 · 63ded47
1 parent 5c28595
commit 63ded47
Show file tree

Hide file tree

Showing 15 changed files with 43 additions and 1 deletion.
diff --git a/Makefile b/Makefile
@@ -37,6 +37,8 @@ all: $(addsuffix .mk,$(addprefix $(BUILD_DIR)/vars-,$(SOURCES)) $(addprefix $(BU
 
 clean:
 
+update-pin:
+
 include common_rules.mk
 
 build-dep:

diff --git a/build_rules/bitcoin.pin b/build_rules/bitcoin.pin
@@ -0,0 +1 @@
+366eb44a7a0aa5bd342deea215ec19a184a11f2ca22220304ebb20b9c8917e2b  bitcoin-0.21.1-x86_64-linux-gnu.tar.gz
diff --git a/build_rules/btc-rpc-explorer.pin b/build_rules/btc-rpc-explorer.pin
@@ -0,0 +1 @@
+789f6436f75a78bbf7c833df56b1271bcc32de37
diff --git a/build_rules/btc-rpc-proxy.pin b/build_rules/btc-rpc-proxy.pin
@@ -0,0 +1 @@
+ed018d48586a10d72d81ceef452b41cdca36c390
diff --git a/build_rules/btc-transmuter.pin b/build_rules/btc-transmuter.pin
@@ -0,0 +1 @@
+a497084b3483d65e3a5d188d18b748b008fa8a67
diff --git a/build_rules/btcpayserver.pin b/build_rules/btcpayserver.pin
@@ -0,0 +1 @@
+d738f797ec766d9e9ade14ab7c8f141c67a1debb
diff --git a/build_rules/electrs.pin b/build_rules/electrs.pin
@@ -0,0 +1 @@
+446858ea621416916f84cbce61be92b748e8133e
diff --git a/build_rules/electrum.pin b/build_rules/electrum.pin
@@ -0,0 +1 @@
+120b9d72342f8d1e60dff4aff2dc25dfce0442d35667bf17656e7707499b53fc
diff --git a/build_rules/lnd.pin b/build_rules/lnd.pin
@@ -0,0 +1 @@
+9ac3607b2421de4939e41b87e640a7f65682333813f2cd7c6e6168c89d905b69  lnd-linux-amd64-v0.17.0-beta.tar.gz
diff --git a/build_rules/lnpbp-testkit.pin b/build_rules/lnpbp-testkit.pin
@@ -0,0 +1 @@
+0ecd26e986378f44f6581fd1e2318319f6847add
diff --git a/build_rules/nbxplorer.pin b/build_rules/nbxplorer.pin
@@ -0,0 +1 @@
+cfb9aa95060f1aea7f0ed3ad068a502cc50edd3f
diff --git a/build_rules/ridetheln.pin b/build_rules/ridetheln.pin
@@ -0,0 +1 @@
+f817ae39bc71594f4e4a7a6be8cf68c74ac2362c
diff --git a/build_rules/selfhost-dashboard.pin b/build_rules/selfhost-dashboard.pin
@@ -0,0 +1 @@
+c3170c70515cc88922bbb351c0e332ba8b271bad
diff --git a/build_rules/thunderhub.pin b/build_rules/thunderhub.pin
@@ -0,0 +1 @@
+338bf21afb07dd98e2872553598500ae36f8519b
diff --git a/build_template.mustache b/build_template.mustache
@@ -93,7 +93,7 @@ $({{{pkg_name_upper}}}_FILTERED_SHASUMS): $({{{pkg_name_upper}}}_SHASUMS_SIG) {{
 {{/shasums}}
 {{/unpack}}
 
-$(BUILD_DIR)/verify-{{{source_name}}}.stamp: {{#unpack}}$(BUILD_DIR)/{{{file_name}}}{{/unpack}}{{#clone_url}}$(BUILD_DIR)/fetch-{{{source_name}}}.stamp{{/clone_url}} $({{{pkg_name_upper}}}_FILTERED_SHASUMS){{#get_assets}}{{#signature}} $({{{pkg_name_upper}}}_BUILD_DIR)/{{{file_name}}}.sig $({{{pkg_name_upper}}}_BUILD_DIR)/{{{file_name}}} $(BUILD_DIR)/{{{fingerprint}}}$(KEY_INPUT_SUFFIX){{/signature}}{{/get_assets}}{{#verify_tag}} $(BUILD_DIR)/{{fingerprint}}-gnupg-home.stamp{{/verify_tag}}{{#verify_commit}} $(BUILD_DIR)/{{fingerprint}}-gnupg-home.stamp{{/verify_commit}}
+$(BUILD_DIR)/verify-signature-{{{source_name}}}.stamp: {{#unpack}}$(BUILD_DIR)/{{{file_name}}}{{/unpack}}{{#clone_url}}$(BUILD_DIR)/fetch-{{{source_name}}}.stamp{{/clone_url}} $({{{pkg_name_upper}}}_FILTERED_SHASUMS){{#get_assets}}{{#signature}} $({{{pkg_name_upper}}}_BUILD_DIR)/{{{file_name}}}.sig $({{{pkg_name_upper}}}_BUILD_DIR)/{{{file_name}}} $(BUILD_DIR)/{{{fingerprint}}}$(KEY_INPUT_SUFFIX){{/signature}}{{/get_assets}}{{#verify_tag}} $(BUILD_DIR)/{{fingerprint}}-gnupg-home.stamp{{/verify_tag}}{{#verify_commit}} $(BUILD_DIR)/{{fingerprint}}-gnupg-home.stamp{{/verify_commit}}
 {{#unpack}}
 {{#shasums}}
 	cd $(BUILD_DIR) && sha256sum -c $({{{pkg_name_upper}}}_FILTERED_SHASUMS_FILENAME)
@@ -124,10 +124,37 @@ $(BUILD_DIR)/verify-{{{source_name}}}.stamp: {{#unpack}}$(BUILD_DIR)/{{{file_nam
 	{{/chmod}}
 	touch $@
 
+$(BUILD_DIR)/verify-pin-{{{source_name}}}.stamp: {{#unpack}}$(BUILD_DIR)/{{{file_name}}}{{/unpack}}{{#clone_url}}$(BUILD_DIR)/fetch-{{{source_name}}}.stamp{{/clone_url}} $({{{pkg_name_upper}}}_FILTERED_SHASUMS)
+	{{#unpack}}
+	cd $(BUILD_DIR) && sha256sum -c $(SOURCE_DIR)/build_rules/{{{source_name}}}.pin
+	{{/unpack}}
+	{{#clone_url}}
+	test "`cat $(SOURCE_DIR)/build_rules/{{{source_name}}}.pin`" = "`cd "$({{{pkg_name_upper}}}_BUILD_DIR)" && git rev-parse HEAD`"
+	{{/clone_url}}
+
+{{#unpinned}}
+$(BUILD_DIR)/verify-{{{source_name}}}.stamp: $(BUILD_DIR)/verify-signature-{{{source_name}}}.stamp
+	touch $@
+{{/unpinned}}
+{{^unpinned}}
+$(BUILD_DIR)/verify-{{{source_name}}}.stamp: $(BUILD_DIR)/verify-pin-{{{source_name}}}.stamp
+	touch $@
+{{/unpinned}}
+
 {{#unpack}}
 $({{{pkg_name_upper}}}_BUILD_DIR)/: $(BUILD_DIR)/verify-{{{source_name}}}.stamp
 {{/unpack}}
 
+update-pin-{{{source_name}}}: $(BUILD_DIR)/verify-signature-{{{source_name}}}.stamp
+{{#unpack}}
+	cd $(BUILD_DIR) && sha256sum {{{file_name}}} > $(SOURCE_DIR)/build_rules/{{{source_name}}}.pin
+{{/unpack}}
+{{#clone_url}}
+	cd $({{{pkg_name_upper}}}_BUILD_DIR) && git rev-parse HEAD > $(SOURCE_DIR)/build_rules/{{{source_name}}}.pin
+{{/clone_url}}
+
+update-pin: update-pin-{{{source_name}}}
+
 $(BUILD_DIR)/packages-{{{source_name}}}.stamp: $({{{pkg_name_upper}}}_ASSETS)
 
 all: $(BUILD_DIR)/packages-{{{source_name}}}.stamp