Generate checksums for release artifacts in CI

One of the major complains surrounding the recent XZ fiasco is that auto-tools generated source files include so much obtuse code that they are difficult to audit. Also it isn't immediately apparent what sources they have been generated from. In our case we're generating the source dist files in CI anyway and automatically attaching them to releases, but GH does not make it possible to verify this. They could just as well be reposted later by a malicious maintainer. This is not a magic bullet to fix all that, but it should help. The CI environment can be verified by looking at the workflow file and the other Git sources so we're not using a modified version of autotools or anything like that. Checksums are now being generated after making the distribution tarballs, and *echoed to the output log* so it is possible to verify that the files generated in CI are actually still the ones attached to the release. The checksums file is also posted to the release.
RichiH · Apr 3, 2024 · 285d608 · 285d608
1 parent a46a8b9
commit 285d608
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 2 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -43,6 +43,7 @@ jobs:
           files: |
             vcsh-${{ env.VERSION }}.tar.zst
             vcsh-${{ env.VERSION }}.zip
+            vcsh-${{ env.VERSION }}.sha256.txt
 
   deploy-standalone:
     runs-on: ubuntu-latest
@@ -56,9 +57,11 @@ jobs:
           ./bootstrap.sh
           ./configure --with-standalone --bindir=/
           make DESTDIR=. install-exec
+          sha256sum vcsh-standalone.sh | tee vcsh-standalone.sha256.txt
       - name: Add standalone deployment to release
         uses: svenstaro/upload-release-action@v2
         with:
           repo_token: ${{ github.token }}
-          file: vcsh-standalone.sh
           tag: ${{ github.ref }}
+          file_glob: true
+          file: vcsh-standalone.{sh,sha256.txt}
diff --git a/Makefile.am b/Makefile.am
@@ -24,6 +24,7 @@ BUILT_SOURCES =
 CLEANFILES = $(dist_man_MANS) $(bin_SCRIPTS)
 
 include $(top_srcdir)/build-aux/git_version.mk
+include $(top_srcdir)/build-aux/dist_checksums.mk
 include $(top_srcdir)/build-aux/shell_completion_dirs.mk
 
 if !IS_SDIST

diff --git a/build-aux/ax_dist_checksums.m4 b/build-aux/ax_dist_checksums.m4
@@ -0,0 +1,6 @@
+AC_DEFUN([AX_DIST_CHECKSUMS], [
+
+        AX_PROGVAR([sha256sum])
+        AX_PROGVAR([tee])
+
+])
diff --git a/build-aux/dist_checksums.mk b/build-aux/dist_checksums.mk
@@ -0,0 +1,10 @@
+# Prepend to function that runs after compressing dist archives
+am__post_remove_distdir = $(checksum_dist); $(am__post_remove_distdir )
+
+# Output both a file that can be attatched to releases and also write STDOUT
+# for the sake of CI build logs so they can be audited as matching what is
+# eventually posted.
+checksum_dist = \
+	$(SHA256SUM) --ignore-missing $(distdir).{tar.{gz,bz2,lz,xz,zst},zip} |\
+		$(TEE) $(distdir).sha256.txt
+
diff --git a/configure.ac b/configure.ac
@@ -28,9 +28,10 @@ AC_ARG_WITH([standalone],
             ],
             [])
 
-# These three macros must be run after processing our standalone setup because
+# These macros must be run after processing our standalone setup because
 # they all expect the program name transformation setup to be complete.
 AX_GIT_VERSION
+AX_DIST_CHECKSUMS
 AX_SHELL_COMPLETION_DIRS
 AX_TRANSFORM_PACKAGE_NAME