-
Notifications
You must be signed in to change notification settings - Fork 124
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Generate checksums for release artifacts in CI
One of the major complains surrounding the recent XZ fiasco is that auto-tools generated source files include so much obtuse code that they are difficult to audit. Also it isn't immediately apparent what sources they have been generated from. In our case we're generating the source dist files in CI anyway and automatically attaching them to releases, but GH does not make it possible to verify this. They could just as well be reposted later by a malicious maintainer. This is not a magic bullet to fix all that, but it should help. The CI environment can be verified by looking at the workflow file and the other Git sources so we're not using a modified version of autotools or anything like that. Checksums are now being generated after making the distribution tarballs, and *echoed to the output log* so it is possible to verify that the files generated in CI are actually still the ones attached to the release. The checksums file is also posted to the release.
- Loading branch information
Showing
6 changed files
with
27 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
AC_DEFUN([AX_DIST_CHECKSUMS], [ | ||
AX_PROGVAR([sha256sum]) | ||
AX_PROGVAR([tee]) | ||
]) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# Output both a file that can be attatched to releases and also write STDOUT | ||
# for the sake of CI build logs so they can be audited as matching what is | ||
# eventually posted. The list of files checksummed is a glob (even though we | ||
# know an exact pattern) to avoid errors for formats not generated. | ||
checksum_dist = \ | ||
shopt -s nullglob ; \ | ||
$(SHA256SUM) $(distdir)*.{tar.{gz,bz2,lz,xz,zst},zip} |\ | ||
$(TEE) $(distdir).sha256.txt | ||
|
||
CLEANFILES += $(distdir).sha256.txt | ||
|
||
# Append checksum operation to function that runs after compressing dist archives | ||
am__post_remove_distdir = $(am__remove_distdir); $(checksum_dist) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters