Skip to content

Commit

Permalink
Generate checksums for release artifacts in CI
Browse files Browse the repository at this point in the history
One of the major complains surrounding the recent XZ fiasco is that
auto-tools generated source files include so much obtuse code that they
are difficult to audit. Also it isn't immediately apparent what sources
they have been generated from. In our case we're generating the source
dist files in CI anyway and automatically attaching them to releases,
but GH does not make it possible to verify this. They could just as well
be reposted later by a malicious maintainer.

This is not a magic bullet to fix all that, but it should help. The CI
environment can be verified by looking at the workflow file and the
other Git sources so we're not using a modified version of autotools or
anything like that. Checksums are now being generated after making the
distribution tarballs, and *echoed to the output log* so it is possible
to verify that the files generated in CI are actually still the ones
attached to the release. The checksums file is also posted to the
release.
  • Loading branch information
alerque committed Apr 4, 2024
1 parent a46a8b9 commit 61aac7d
Show file tree
Hide file tree
Showing 6 changed files with 31 additions and 2 deletions.
1 change: 1 addition & 0 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ jobs:
./configure --with-standalone --bindir=/
make DESTDIR=. install-exec
echo VERSION=$(cat .version) >> $GITHUB_ENV
sha256sum vcsh-standalone.sh
- name: Post standalone script artifact
uses: actions/upload-artifact@v4
with:
Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ jobs:
files: |
vcsh-${{ env.VERSION }}.tar.zst
vcsh-${{ env.VERSION }}.zip
vcsh-${{ env.VERSION }}.sha256.txt
deploy-standalone:
runs-on: ubuntu-latest
Expand All @@ -56,9 +57,11 @@ jobs:
./bootstrap.sh
./configure --with-standalone --bindir=/
make DESTDIR=. install-exec
sha256sum vcsh-standalone.sh | tee vcsh-standalone.sha256.txt
- name: Add standalone deployment to release
uses: svenstaro/upload-release-action@v2
with:
repo_token: ${{ github.token }}
file: vcsh-standalone.sh
tag: ${{ github.ref }}
file_glob: true
file: vcsh-standalone.{sh,sha256.txt}
1 change: 1 addition & 0 deletions Makefile.am
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ BUILT_SOURCES =
CLEANFILES = $(dist_man_MANS) $(bin_SCRIPTS)

include $(top_srcdir)/build-aux/git_version.mk
include $(top_srcdir)/build-aux/dist_checksums.mk
include $(top_srcdir)/build-aux/shell_completion_dirs.mk

if !IS_SDIST
Expand Down
6 changes: 6 additions & 0 deletions build-aux/ax_dist_checksums.m4
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
AC_DEFUN([AX_DIST_CHECKSUMS], [
AX_PROGVAR([sha256sum])
AX_PROGVAR([tee])
])
17 changes: 17 additions & 0 deletions build-aux/dist_checksums.mk
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# Output both a file that can be attatched to releases and also write STDOUT
# for the sake of CI build logs so they can be audited as matching what is
# eventually posted. The list of files checksummed is a glob (even though we
# know an exact pattern) to avoid errors for formats not generated.
checksum_dist = \
shopt -s nullglob ; \
$(SHA256SUM) $(distdir)*.{tar.{gz,bz2,lz,xz,zst},zip} |\
$(TEE) $(distdir).sha256.txt

# Since the checksums file isn't an artifact produced by the default source dist
# creation process, we have to clean it up ourselves so distcheck can see that
# everything round-tripped cleanly.
distclean-local:
rm -f $(distdir).sha256.txt

# Append checksum operation to function that runs after compressing dist archives
am__post_remove_distdir = $(am__remove_distdir); $(checksum_dist)
3 changes: 2 additions & 1 deletion configure.ac
Original file line number Diff line number Diff line change
Expand Up @@ -28,9 +28,10 @@ AC_ARG_WITH([standalone],
],
[])

# These three macros must be run after processing our standalone setup because
# These macros must be run after processing our standalone setup because
# they all expect the program name transformation setup to be complete.
AX_GIT_VERSION
AX_DIST_CHECKSUMS
AX_SHELL_COMPLETION_DIRS
AX_TRANSFORM_PACKAGE_NAME

Expand Down

0 comments on commit 61aac7d

Please sign in to comment.