Merge bitcoin#22654: guix: Don't include directory name in SHA256SUMS

fanquake · knst · commit 5dd78dfd9629 · 2023-04-03T17:28:42.000+07:00
132cae4 doc: Mention the flat directory structure for uploads (Andrew Chow) fb17c99 guix: Don't include directory name in SHA256SUMS (Andrew Chow) Pull request description: The SHA256SUMS file can be used in a sha256sum -c command to verify downloaded binaries. However users are likely to download just a single file and not place this file in the correct directory relative to the SHA256SUMS file for the simple verification command to work. By not including the directory name in the SHA256SUMS file, it will be easier for users to verify downloaded binaries. ACKs for top commit: Zero-1729: re-ACK 132cae4 fanquake: ACK 132cae4 Tree-SHA512: c9ff416b8dfb2f3ceaf4d63afb84aac9fcaefbbf9092f9e095061b472884ec92c7a809e6530c7132a82cfe3ab115a7328e47994a412072e1d4feb26fc502c8c5
diff --git a/contrib/guix/guix-attest b/contrib/guix/guix-attest
@@ -162,6 +162,18 @@ EOF
 echo "Attesting to build outputs for version: '${VERSION}'"
 echo ""
 
+# Given a SHA256SUMS file as stdin that has lines like:
+#     0ba536819b221a91d3d42e978be016aac918f40984754d74058aa0c921cd3ea6  a/b/d/c/d/s/bitcoin-22.0rc2-riscv64-linux-gnu.tar.gz
+#     ...
+#
+# Replace each line's file name with its basename:
+#     0ba536819b221a91d3d42e978be016aac918f40984754d74058aa0c921cd3ea6  bitcoin-22.0rc2-riscv64-linux-gnu.tar.gz
+#     ...
+#
+basenameify_SHA256SUMS() {
+    sed -E 's@(^[[:xdigit:]]{64}[[:space:]]+).+/([^/]+$)@\1\2@'
+}
+
 outsigdir="$GUIX_SIGS_REPO/$VERSION/$signer_name"
 mkdir -p "$outsigdir"
 (
@@ -174,6 +186,7 @@ mkdir -p "$outsigdir"
         cat "${noncodesigned_fragments[@]}" \
             | sort -u \
             | sort -k2 \
+            | basenameify_SHA256SUMS \
                 > "$temp_noncodesigned"
         if [ -e noncodesigned.SHA256SUMS ]; then
             # The SHA256SUMS already exists, make sure it's exactly what we
@@ -202,6 +215,7 @@ mkdir -p "$outsigdir"
             | sort -u \
             | sort -k2 \
             | sed 's/$/\r/' \
+            | basenameify_SHA256SUMS \
                 > "$temp_codesigned"
         if [ -e codesigned.SHA256SUMS ]; then
             # The SHA256SUMS already exists, make sure it's exactly what we
diff --git a/doc/release-process.md b/doc/release-process.md
@@ -163,15 +163,24 @@ cat "$VERSION"/*/all.SHA256SUMS.asc > SHA256SUMS.asc
 ```
 
 - Upload to the dash.org server:
-    1. The contents of /dash/guix-build-${VERSION}/output`, except for
+    1. The contents of each `./dash/guix-build-${VERSION}/output/${HOST}/` directory, except for
        `*-debug*` files.
 
+       Guix will output all of the results into host subdirectories, but the SHA256SUMS
+       file does not include these subdirectories. In order for downloads via torrent
+       to verify without directory structure modification, all of the uploaded files
+       need to be in the same directory as the SHA256SUMS file.
+
        The `*-debug*` files generated by the guix build contain debug symbols
        for troubleshooting by developers. It is assumed that anyone that is
        interested in debugging can run guix to generate the files for
        themselves. To avoid end-user confusion about which file to pick, as well
        as save storage space *do not upload these to the dash.org server*.
 
+       ```sh
+       find guix-build-${VERSION}/output/ -maxdepth 2 -type f -not -name "SHA256SUMS.part" -and -not -name "*debug*" -exec scp {} user@dash.org:/var/www/bin/dash-core-${VERSION} \;
+       ```
+
     2. The `SHA256SUMS` file
 
     3. The `SHA256SUMS.asc` combined signature file you just created
