-
-
Notifications
You must be signed in to change notification settings - Fork 14.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bisq2: init at 2.1.2 #347160
Merged
+173
−0
Merged
bisq2: init at 2.1.2 #347160
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,169 @@ | ||
{ | ||
stdenvNoCC, | ||
lib, | ||
makeWrapper, | ||
runtimeShell, | ||
fetchurl, | ||
makeDesktopItem, | ||
copyDesktopItems, | ||
imagemagick, | ||
openjdk, | ||
dpkg, | ||
writeScript, | ||
bash, | ||
tor, | ||
zip, | ||
gnupg, | ||
}: | ||
|
||
let | ||
version = "2.1.2"; | ||
|
||
bisq-launcher = | ||
args: | ||
writeScript "bisq-launcher" '' | ||
#! ${runtimeShell} | ||
|
||
# This is just a comment to convince Nix that Tor is a | ||
# runtime dependency; The Tor binary is in a *.jar file, | ||
# whereas Nix only scans for hashes in uncompressed text. | ||
# ${lib.getExe' tor "tor"} | ||
|
||
rm -fR $HOME/.local/share/Bisq2/tor | ||
|
||
exec "${lib.getExe openjdk}" -Djpackage.app-version=@version@ -classpath @out@/lib/app/desktop-app-launcher.jar:@out@/lib/app/* ${args} bisq.desktop_app_launcher.DesktopAppLauncher "$@" | ||
''; | ||
|
||
# A given release will be signed by either Alejandro Garcia or Henrik Jannsen | ||
# as indicated in the file | ||
# https://github.com/bisq-network/bisq2/releases/download/v${version}/signingkey.asc | ||
publicKey = | ||
{ | ||
"E222AA02" = fetchurl { | ||
url = "https://github.com/bisq-network/bisq2/releases/download/v${version}/E222AA02.asc"; | ||
sha256 = "sha256-31uBpe/+0QQwFyAsoCt1TUWRm0PHfCFOGOx1M16efoE="; | ||
}; | ||
|
||
"387C8307" = fetchurl { | ||
url = "https://github.com/bisq-network/bisq2/releases/download/v${version}/387C8307.asc"; | ||
sha256 = "sha256-PrRYZLT0xv82dUscOBgQGKNf6zwzWUDhriAffZbNpmI="; | ||
}; | ||
} | ||
."387C8307"; | ||
in | ||
stdenvNoCC.mkDerivation rec { | ||
inherit version; | ||
|
||
pname = "bisq2"; | ||
|
||
src = fetchurl { | ||
url = "https://github.com/bisq-network/bisq2/releases/download/v${version}/Bisq-${version}.deb"; | ||
sha256 = "0zgv70xlz3c9mrwmiaa1dgagbc441ppk2vrkgard8zjrvk8rg7va"; | ||
|
||
# Verify the upstream Debian package prior to extraction. | ||
# See https://bisq.wiki/Bisq_2#Installation | ||
# This ensures that a successful build of this Nix package requires the Debian | ||
# package to pass verification. | ||
nativeBuildInputs = [ gnupg ]; | ||
downloadToTemp = true; | ||
|
||
postFetch = '' | ||
pushd $(mktemp -d) | ||
export GNUPGHOME=./gnupg | ||
mkdir -m 700 -p $GNUPGHOME | ||
ln -s $downloadedFile ./Bisq-${version}.deb | ||
ln -s ${signature} ./signature.asc | ||
gpg --import ${publicKey} | ||
gpg --batch --verify signature.asc Bisq-${version}.deb | ||
popd | ||
mv $downloadedFile $out | ||
''; | ||
}; | ||
|
||
signature = fetchurl { | ||
url = "https://github.com/bisq-network/bisq2/releases/download/v${version}/Bisq-${version}.deb.asc"; | ||
sha256 = "sha256-WZhI8RDmb7nQqpCQJM86vrp8qQNg+mvRVdSPcDqgzxE="; | ||
}; | ||
|
||
nativeBuildInputs = [ | ||
copyDesktopItems | ||
dpkg | ||
imagemagick | ||
makeWrapper | ||
zip | ||
gnupg | ||
makeWrapper | ||
]; | ||
|
||
desktopItems = [ | ||
(makeDesktopItem { | ||
name = "bisq2"; | ||
exec = "bisq2"; | ||
icon = "bisq2"; | ||
desktopName = "Bisq 2"; | ||
genericName = "Decentralized bitcoin exchange"; | ||
categories = [ | ||
"Network" | ||
"P2P" | ||
]; | ||
}) | ||
|
||
(makeDesktopItem { | ||
name = "bisq2-hidpi"; | ||
exec = "bisq2-hidpi"; | ||
icon = "bisq2"; | ||
desktopName = "Bisq 2 (HiDPI)"; | ||
genericName = "Decentralized bitcoin exchange"; | ||
categories = [ | ||
"Network" | ||
"P2P" | ||
]; | ||
}) | ||
]; | ||
|
||
unpackPhase = '' | ||
dpkg -x $src . | ||
''; | ||
|
||
buildPhase = '' | ||
# Replace the Tor binary embedded in tor.jar (which is in the zip archive tor.zip) | ||
# with the Tor binary from Nixpkgs. | ||
|
||
makeWrapper ${lib.getExe' tor "tor"} ./tor | ||
zip tor.zip ./tor | ||
zip opt/bisq2/lib/app/tor.jar tor.zip | ||
''; | ||
|
||
installPhase = '' | ||
runHook preInstall | ||
|
||
mkdir -p $out/lib $out/bin | ||
cp -r opt/bisq2/lib/app $out/lib | ||
|
||
install -D -m 777 ${bisq-launcher ""} $out/bin/bisq2 | ||
substituteAllInPlace $out/bin/bisq2 | ||
|
||
install -D -m 777 ${bisq-launcher "-Dglass.gtk.uiScale=2.0"} $out/bin/bisq2-hidpi | ||
substituteAllInPlace $out/bin/bisq2-hidpi | ||
|
||
for n in 16 24 32 48 64 96 128 256; do | ||
size=$n"x"$n | ||
magick convert opt/bisq2/lib/Bisq2.png -resize $size bisq2.png | ||
install -Dm644 -t $out/share/icons/hicolor/$size/apps bisq2.png | ||
done; | ||
|
||
runHook postInstall | ||
''; | ||
|
||
meta = with lib; { | ||
description = "Decentralized bitcoin exchange network"; | ||
homepage = "https://bisq.network"; | ||
mainProgram = "bisq2"; | ||
sourceProvenance = with sourceTypes; [ | ||
binaryBytecode | ||
]; | ||
license = licenses.mit; | ||
maintainers = with maintainers; [ emmanuelrosa ]; | ||
platforms = [ "x86_64-linux" ]; | ||
}; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a good idea except that when the key expires it will break and be no longer reproducible.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When I was planning out this package it was my intention to make it reproducible. However, I had not considered the impact of an expiring key.
I performed a test to see what happens when an expired key is used to verify a signature:
The test shows that an expired key does not affect verification.
Now that upstream started adding the keys to the Github release assets, I modified the package to use those. That should also help ensure the builds are reproducible.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does it factor in that the signing was done before the key expired?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As far as I can tell, there's no way to ensure that a signature was created prior to the key expiring.
GPG does refuse to create a signature using an expired key, but certainly that refusal can be circumvented.
This reveals a weakness in the verification process since there's no way to tell if upstream's deb package was signed with an expired key or not. If I were to modify the package to fail upon detecting an expired key, then it would prevent old versions of the package from building.
Since I have the two public keys in my key ring, I can manually check the expiration dates when updating this package, as a form of mitigation.