;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2014 Nikita Karetnikov ;;; Copyright © 2014-2015, 2017-2019, 2021-2022 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; ;;; GNU Guix is free software; you can redistribute it and/or modify it ;;; under the terms of the GNU General Public License as published by ;;; the Free Software Foundation; either version 3 of the License, or (at ;;; your option) any later version. ;;; ;;; GNU Guix is distributed in the hope that it will be useful, but ;;; WITHOUT ANY WARRANTY; without even the implied warranty of ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ;;; GNU General Public License for more details. ;;; ;;; You should have received a copy of the GNU General Public License ;;; along with GNU Guix. If not, see . (define-module (test-substitute) #:use-module (guix scripts substitute) #:use-module (guix narinfo) #:use-module (guix base64) #:use-module (gcrypt hash)
aboutsummaryrefslogtreecommitdiff
path: root/etc/release-manifest.scm
blob: 91471bd03b8a5a457b2a5b4f5bb2ce714861881a (about) (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119

;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2020 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

;;; This file returns a manifest containing release-critical bit, for all the
;;; supported architectures and cross-compilation targets.

(use-modules (gnu packages)
             (guix packages)
             (guix profiles)
             ((gnu ci) #:select (%cross-targets))
             (guix utils)
             (srfi srfi-1)
             (srfi srfi-26))

(define* (package->manifest-entry* package system
                                   #:key target)
  "Return a manifest entry for PACKAGE on SYSTEM, optionally cross-compiled to
TARGET."
  (manifest-entry
    (inherit (package->manifest-entry package))
    (name (string-append (package-name package) "." system
                         (if target
                             (string-append "." target)
                             "'")))
    (item (with-parameters ((%current-system system)
                            (%current-target-system target))
            package))))

(define %base-packages
  ;; Packages that must be substitutable on all the platforms Guix supports.
  (map specification->package
       '("bootstrap-tarballs" "gcc-toolchain" "nss-certs"
         "openssh" "emacs" "vim" "python" "guile" "guix")))

(define %system-packages
  ;; Key packages proposed by the Guix System installer.
  (map specification->package
       '("xorg-server" "xfce" "gnome" "mate" "enlightenment"
         "openbox" "awesome" "i3-wm" "ratpoison"
         "xlockmore" "slock" "libreoffice"
         "connman" "network-manager" "network-manager-applet"
         "openssh" "ntp" "tor"
         "linux-libre" "grub-hybrid"
         ;; FIXME: Add IceCat when Rust is available on i686.
         ;;"icecat"
         )))

(define %packages-to-cross-build
  ;; Packages that must be cross-buildable from x86_64-linux.
  ;; FIXME: Add (@ (gnu packages gcc) gcc) when <https://bugs.gnu.org/40463>
  ;; is fixed.
  (append (list (@ (gnu packages guile) guile-2.2/fixed))
          (map specification->package
               '("coreutils" "grep" "sed" "findutils" "diffutils" "patch"
                 "gawk" "gettext" "gzip" "xz"
                 "hello" "zlib"))))

(define %packages-to-cross-build-for-mingw
  ;; Many things don't build for MinGW.  Restrict to what's known to work.
  (map specification->package '("hello")))

(define %cross-bootstrap-targets
  ;; Cross-compilation triplets for which 'bootstrap-tarballs' must be
  ;; buildable.
  '("i586-pc-gnu"
    "arm-linux-gnueabihf"
    "aarch64-linux-gnu"))


;;;
;;; Manifests.
;;;

(define %base-manifest
  (manifest
   (append-map (lambda (system)
                 (map (cut package->manifest-entry* <> system)
                      %base-packages))
               %hydra-supported-systems)))

(define %cross-manifest
  (manifest
   (append-map (lambda (target)
                 (map (cut package->manifest-entry* <> "x86_64-linux"
                           #:target target)
                      (if (target-mingw? target)
                          %packages-to-cross-build-for-mingw
                          %packages-to-cross-build)))
               ;; XXX: Important bits like libsigsegv and libffi don't support
               ;; RISCV at the moment, so don't require RISCV support.
               (delete "riscv64-linux-gnu" %cross-targets))))

(define %cross-bootstrap-manifest
  (manifest
   (map (lambda (target)
          (package->manifest-entry*
           (specification->package "bootstrap-tarballs")
           "x86_64-linux" #:target target))
        %cross-bootstrap-targets)))

;; Return the union of all three manifests.
(concatenate-manifests (list %base-manifest
                             %cross-manifest
                             %cross-bootstrap-manifest))
generated by cgit
uery"))))))))) (test-equal "query narinfo signed with authorized key" (string-append (%store-prefix) "/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo") (with-narinfo (string-append %narinfo "Signature: " (signature-field %narinfo) "\n") (string-trim-both (with-output-to-string (lambda () (with-input-from-string (string-append "have " (%store-prefix) "/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo") (lambda () (guix-substitute "--query")))))))) (test-equal "query narinfo signed with unauthorized key" "" ; not substitutable (with-narinfo (string-append %narinfo "Signature: " (signature-field %narinfo #:public-key %wrong-public-key) "\n") (string-trim-both (with-output-to-string (lambda () (with-input-from-string (string-append "have " (%store-prefix) "/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo") (lambda () (guix-substitute "--query")))))))) (test-quit "substitute, no signature" "no valid substitute" (with-narinfo %narinfo (with-input-from-string (string-append "substitute " (%store-prefix) "/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo" " foo\n") (lambda () (guix-substitute "--substitute"))))) (test-quit "substitute, invalid narinfo hash" "no valid substitute" ;; The hash in the signature differs from the hash of %NARINFO. (with-narinfo (string-append %narinfo "Signature: " (signature-field "different body") "\n") (with-input-from-string (string-append "substitute " (%store-prefix) "/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo" " foo\n") (lambda () (guix-substitute "--substitute"))))) (test-equal "substitute, invalid hash" (string-append "hash-mismatch sha256 " (bytevector->nix-base32-string (sha256 #vu8())) " " (let-values (((port get-hash) (open-hash-port (hash-algorithm sha256))) ((content) "Substitutable data.")) (write-file-tree "foo" port #:file-type+size (lambda _ (values 'regular (string-length content))) #:file-port (lambda _ (open-input-string content))) (close-port port) (bytevector->nix-base32-string (get-hash))) "\n") ;; Arrange so the actual data hash does not match the 'NarHash' field in the ;; narinfo. (with-output-to-string (lambda () (let ((narinfo (string-append "StorePath: " (%store-prefix) "/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-wrong-hash URL: example.nar Compression: none NarHash: sha256:" (bytevector->nix-base32-string (sha256 #vu8())) " NarSize: 42 References: Deriver: " (%store-prefix) "/foo.drv System: mips64el-linux\n"))) (with-narinfo (string-append narinfo "Signature: " (signature-field narinfo) "\n") (call-with-temporary-directory (lambda (directory) (with-input-from-string (string-append "substitute " (%store-prefix) "/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-wrong-hash " directory "/wrong-hash\n") (lambda () (guix-substitute "--substitute")))))))))) (test-quit "substitute, unauthorized key" "no valid substitute" (with-narinfo (string-append %narinfo "Signature: " (signature-field %narinfo #:public-key %wrong-public-key) "\n") (with-input-from-string (string-append "substitute " (%store-prefix) "/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo" " foo\n") (lambda () (guix-substitute "--substitute"))))) (test-equal "substitute, authorized key" '("Substitutable data." 1 #o444) (with-narinfo (string-append %narinfo "Signature: " (signature-field %narinfo)) (dynamic-wind (const #t) (lambda () (request-substitution (string-append (%store-prefix) "/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo") "substitute-retrieved") (list (call-with-input-file "substitute-retrieved" get-string-all) (stat:mtime (lstat "substitute-retrieved")) (stat:perms (lstat "substitute-retrieved")))) (lambda () (false-if-exception (delete-file "substitute-retrieved")))))) (test-equal "substitute, unauthorized narinfo comes first" "Substitutable data." (with-narinfo* (string-append %narinfo "Signature: " (signature-field %narinfo #:public-key %wrong-public-key)) %alternate-substitute-directory (with-narinfo* (string-append %narinfo "Signature: " (signature-field %narinfo)) %main-substitute-directory (dynamic-wind (const #t) (lambda () ;; Remove this file so that the substitute can only be retrieved ;; from %ALTERNATE-SUBSTITUTE-DIRECTORY. (delete-file (string-append %main-substitute-directory "/example.nar")) (parameterize ((substitute-urls (map (cut string-append "file://" <>) (list %alternate-substitute-directory %main-substitute-directory)))) (request-substitution (string-append (%store-prefix) "/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo") "substitute-retrieved")) (call-with-input-file "substitute-retrieved" get-string-all)) (lambda () (false-if-exception (delete-file "substitute-retrieved"))))))) (test-equal "substitute, unsigned narinfo comes first" "Substitutable data." (with-narinfo* %narinfo ;not signed! %alternate-substitute-directory (with-narinfo* (string-append %narinfo "Signature: " (signature-field %narinfo)) %main-substitute-directory (dynamic-wind (const #t) (lambda () ;; Remove this file so that the substitute can only be retrieved ;; from %ALTERNATE-SUBSTITUTE-DIRECTORY. (delete-file (string-append %main-substitute-directory "/example.nar")) (parameterize ((substitute-urls (map (cut string-append "file://" <>) (list %alternate-substitute-directory %main-substitute-directory)))) (request-substitution (string-append (%store-prefix) "/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo") "substitute-retrieved")) (call-with-input-file "substitute-retrieved" get-string-all)) (lambda () (false-if-exception (delete-file "substitute-retrieved"))))))) (test-equal "substitute, first narinfo is unsigned and has wrong hash" "Substitutable data." (with-narinfo* (regexp-substitute #f (string-match "NarHash: [[:graph:]]+" %narinfo) 'pre "NarHash: sha256:" (bytevector->nix-base32-string (make-bytevector 32)) 'post) %alternate-substitute-directory (with-narinfo* (string-append %narinfo "Signature: " (signature-field %narinfo)) %main-substitute-directory (dynamic-wind (const #t) (lambda () ;; This time remove the file so that the substitute can only be ;; retrieved from %MAIN-SUBSTITUTE-DIRECTORY. (delete-file (string-append %alternate-substitute-directory "/example.nar")) (parameterize ((substitute-urls (map (cut string-append "file://" <>) (list %alternate-substitute-directory %main-substitute-directory)))) (request-substitution (string-append (%store-prefix) "/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo") "substitute-retrieved")) (call-with-input-file "substitute-retrieved" get-string-all)) (lambda () (false-if-exception (delete-file "substitute-retrieved"))))))) (test-equal "substitute, first narinfo is unsigned and has wrong refs" "Substitutable data." (with-narinfo* (regexp-substitute #f (string-match "References: ([^\n]+)\n" %narinfo) 'pre "References: " 1 " wrong set of references\n" 'post) %alternate-substitute-directory (with-narinfo* (string-append %narinfo "Signature: " (signature-field %narinfo)) %main-substitute-directory (dynamic-wind (const #t) (lambda () ;; This time remove the file so that the substitute can only be ;; retrieved from %MAIN-SUBSTITUTE-DIRECTORY. (delete-file (string-append %alternate-substitute-directory "/example.nar")) (parameterize ((substitute-urls (map (cut string-append "file://" <>) (list %alternate-substitute-directory %main-substitute-directory)))) (request-substitution (string-append (%store-prefix) "/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo") "substitute-retrieved")) (call-with-input-file "substitute-retrieved" get-string-all)) (lambda () (false-if-exception (delete-file "substitute-retrieved"))))))) (test-quit "substitute, two invalid narinfos" "no valid substitute" (with-narinfo* %narinfo ;not signed %alternate-substitute-directory (with-narinfo* (string-append %narinfo "Signature: " ;unauthorized (signature-field %narinfo #:public-key %wrong-public-key)) %main-substitute-directory (with-input-from-string (string-append "substitute " (%store-prefix) "/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo" " substitute-retrieved\n") (lambda () (guix-substitute "--substitute")))))) (test-equal "substitute, narinfo with several URLs" "Substitutable data." (let ((narinfo (string-append "StorePath: " (%store-prefix) "/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo URL: example.nar.gz Compression: gzip URL: example.nar.lz Compression: lzip URL: example.nar Compression: none NarHash: sha256:" (bytevector->nix-base32-string (sha256 (string->utf8 "Substitutable data."))) " NarSize: 42 References: bar baz Deriver: " (%store-prefix) "/foo.drv System: mips64el-linux\n"))) (with-narinfo (string-append narinfo "Signature: " (signature-field narinfo)) (dynamic-wind (const #t) (lambda () (define (compress input output compression) (call-with-output-file output (lambda (port) (call-with-compressed-output-port compression port (lambda (port) (call-with-input-file input (lambda (input) (dump-port input port)))))))) (let ((nar (string-append %main-substitute-directory "/example.nar"))) (compress nar (string-append nar ".gz") 'gzip) (compress nar (string-append nar ".lz") 'lzip)) (parameterize ((substitute-urls (list (string-append "file://" %main-substitute-directory)))) (request-substitution (string-append (%store-prefix) "/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo") "substitute-retrieved")) (call-with-input-file "substitute-retrieved" get-string-all)) (lambda () (false-if-exception (delete-file "substitute-retrieved"))))))) (test-end "substitute") ;;; Local Variables: ;;; eval: (put 'with-narinfo 'scheme-indent-function 1) ;;; eval: (put 'with-narinfo* 'scheme-indent-function 2) ;;; eval: (put 'test-quit 'scheme-indent-function 2) ;;; End: