From 285d608b56fb391917cee3bbb2a1cc3a8ea88ab6 Mon Sep 17 00:00:00 2001 From: Caleb Maclennan Date: Wed, 3 Apr 2024 13:47:54 +0300 Subject: [PATCH] Generate checksums for release artifacts in CI One of the major complains surrounding the recent XZ fiasco is that auto-tools generated source files include so much obtuse code that they are difficult to audit. Also it isn't immediately apparent what sources they have been generated from. In our case we're generating the source dist files in CI anyway and automatically attaching them to releases, but GH does not make it possible to verify this. They could just as well be reposted later by a malicious maintainer. This is not a magic bullet to fix all that, but it should help. The CI environment can be verified by looking at the workflow file and the other Git sources so we're not using a modified version of autotools or anything like that. Checksums are now being generated after making the distribution tarballs, and *echoed to the output log* so it is possible to verify that the files generated in CI are actually still the ones attached to the release. The checksums file is also posted to the release. --- .github/workflows/release.yml | 5 ++++- Makefile.am | 1 + build-aux/ax_dist_checksums.m4 | 6 ++++++ build-aux/dist_checksums.mk | 10 ++++++++++ configure.ac | 3 ++- 5 files changed, 23 insertions(+), 2 deletions(-) create mode 100644 build-aux/ax_dist_checksums.m4 create mode 100644 build-aux/dist_checksums.mk diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cf45cf38..8da056b2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -43,6 +43,7 @@ jobs: files: | vcsh-${{ env.VERSION }}.tar.zst vcsh-${{ env.VERSION }}.zip + vcsh-${{ env.VERSION }}.sha256.txt deploy-standalone: runs-on: ubuntu-latest @@ -56,9 +57,11 @@ jobs: ./bootstrap.sh ./configure --with-standalone --bindir=/ make DESTDIR=. install-exec + sha256sum vcsh-standalone.sh | tee vcsh-standalone.sha256.txt - name: Add standalone deployment to release uses: svenstaro/upload-release-action@v2 with: repo_token: ${{ github.token }} - file: vcsh-standalone.sh tag: ${{ github.ref }} + file_glob: true + file: vcsh-standalone.{sh,sha256.txt} diff --git a/Makefile.am b/Makefile.am index 87e69aaa..c4e1fb82 100644 --- a/Makefile.am +++ b/Makefile.am @@ -24,6 +24,7 @@ BUILT_SOURCES = CLEANFILES = $(dist_man_MANS) $(bin_SCRIPTS) include $(top_srcdir)/build-aux/git_version.mk +include $(top_srcdir)/build-aux/dist_checksums.mk include $(top_srcdir)/build-aux/shell_completion_dirs.mk if !IS_SDIST diff --git a/build-aux/ax_dist_checksums.m4 b/build-aux/ax_dist_checksums.m4 new file mode 100644 index 00000000..5df751c9 --- /dev/null +++ b/build-aux/ax_dist_checksums.m4 @@ -0,0 +1,6 @@ +AC_DEFUN([AX_DIST_CHECKSUMS], [ + + AX_PROGVAR([sha256sum]) + AX_PROGVAR([tee]) + +]) diff --git a/build-aux/dist_checksums.mk b/build-aux/dist_checksums.mk new file mode 100644 index 00000000..b91755f7 --- /dev/null +++ b/build-aux/dist_checksums.mk @@ -0,0 +1,10 @@ +# Prepend to function that runs after compressing dist archives +am__post_remove_distdir = $(checksum_dist); $(am__post_remove_distdir ) + +# Output both a file that can be attatched to releases and also write STDOUT +# for the sake of CI build logs so they can be audited as matching what is +# eventually posted. +checksum_dist = \ + $(SHA256SUM) --ignore-missing $(distdir).{tar.{gz,bz2,lz,xz,zst},zip} |\ + $(TEE) $(distdir).sha256.txt + diff --git a/configure.ac b/configure.ac index b9b1d24c..3825494a 100644 --- a/configure.ac +++ b/configure.ac @@ -28,9 +28,10 @@ AC_ARG_WITH([standalone], ], []) -# These three macros must be run after processing our standalone setup because +# These macros must be run after processing our standalone setup because # they all expect the program name transformation setup to be complete. AX_GIT_VERSION +AX_DIST_CHECKSUMS AX_SHELL_COMPLETION_DIRS AX_TRANSFORM_PACKAGE_NAME