On 11/13/25 11:04, Alyssa Ross wrote:
Demi Marie Obenour <demiobenour@gmail.com> writes:
Whenever a release is made, create a directory with the release files to be used for an update. After its SHA256SSUMS file is signed, the file is ready to be uploaded to a webserver for users to update from.
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- release.nix | 2 ++ release/update.nix | 30 ++++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+)
diff --git a/release.nix b/release.nix index a4fe66ee5925aeee3a1f5f1fac249c595cee0885..704abb39a3d01152eac3dfe313066834c3cd0a66 100644 --- a/release.nix +++ b/release.nix @@ -8,5 +8,7 @@ import lib/call-package.nix ({ callSpectrumPackage }: {
checks = callSpectrumPackage release/checks {};
+ updates = callSpectrumPackage release/update.nix {}; +
Should this just be called "update" (singular)?
Sure!
combined = callSpectrumPackage release/combined/run-vm.nix {}; }) (_: {}) diff --git a/release/update.nix b/release/update.nix new file mode 100644 index 0000000000000000000000000000000000000000..ec51eb12d33030255b7b4a7e74e14416f1f0659d --- /dev/null +++ b/release/update.nix @@ -0,0 +1,30 @@ +# SPDX-License-Identifier: MIT +# SPDX-FileCopyrightText: 2021-2024 Alyssa Ross <hi@alyssa.is> +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> + +import ../lib/call-package.nix ( +{ callSpectrumPackage, config, efi +, runCommand, stdenv, rootfs +}: + +runCommand "spectrum-update-directory" { + __structuredAttrs = true; + unsafeDiscardReferences = { out = true; }; + dontFixup = true; + env = { + VERSION = config.version; + ROOTHASH = "${rootfs}/rootfs.verity.roothash"; + VERITY = "${rootfs}/rootfs.verity.superblock"; + ROOT_FS = "${rootfs}/rootfs"; + EFI = efi; + };
I'd just inline these as string interpolations rather than passing them as environment variables (except maybe VERSION).
In general, this is very bad practice and has caused security vulnerabilities in GitHub Actions. These have even been exploited in the wild. However, this is *not* a vulnerability in this context as the input is trusted and known not to contain shell metacharacters. I mostly wanted to avoid bad habits that are fine in the Nix context, but not in others.
+} '' + read -r roothash < "$ROOTHASH" + mkdir -- "$out" + cp -- "$VERITY" "$out/Spectrum_$VERSION.verity" + cp -- "$ROOT_FS" "$out/Spectrum_$VERSION.root" + cp -- "$EFI" "$out/Spectrum_$VERSION.efi" + cd -- "$out" + sha256sum -b "Spectrum_$VERSION.root" "Spectrum_$VERSION.verity" "Spectrum_$VERSION.efi" > SHA256SUMS + '' +) (_: {})
-- 2.51.2
-- Sincerely, Demi Marie Obenour (she/her/hers)