commit f5f3394552c4efa46b71e13d1ad3ab171936bd88
parent 661ecb2cf520e25ccdd5e01ac49d8c4884d2d09f
Author: SomberNight <somber.night@protonmail.com>
Date: Mon, 15 Jun 2020 20:01:22 +0200
git sanity: enforce "git checkout commithash" actually pulls commit
If there is a collision between a branch name and a commit hash, git
will choose the branch, even if the full 40-hex-long commit hash is
given. GitHub disallows branches/tags with such a name but git itself
does not. By adding the `^{commit}` syntax sugar after a ref name,
we can tell git that we want the commit hash to be preferred,
and hence we don't need to trust GitHub (only git).
see https://security.stackexchange.com/questions/225411/
Diffstat:
4 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/contrib/android/Dockerfile b/contrib/android/Dockerfile
@@ -154,7 +154,7 @@ RUN cd /opt \
&& cd buildozer \
&& git remote add sombernight https://github.com/SomberNight/buildozer \
&& git fetch --all \
- && git checkout d0323c165dd5d9aa23d5eb01044474fe006c3420 \
+ && git checkout "d0323c165dd5d9aa23d5eb01044474fe006c3420^{commit}" \
&& python3 -m pip install --user -e .
# install python-for-android
@@ -163,7 +163,7 @@ RUN cd /opt \
&& cd python-for-android \
&& git remote add sombernight https://github.com/SomberNight/python-for-android \
&& git fetch --all \
- && git checkout cef08b92268fe69ef331699c2205cbb091e730f0 \
+ && git checkout "cef08b92268fe69ef331699c2205cbb091e730f0^{commit}" \
&& python3 -m pip install --user -e .
# build env vars
diff --git a/contrib/build-linux/appimage/build.sh b/contrib/build-linux/appimage/build.sh
@@ -71,7 +71,7 @@ info "Building squashfskit"
git clone "https://github.com/squashfskit/squashfskit.git" "$BUILDDIR/squashfskit"
(
cd "$BUILDDIR/squashfskit"
- git checkout "$SQUASHFSKIT_COMMIT"
+ git checkout "${SQUASHFSKIT_COMMIT}^{commit}"
make -C squashfs-tools mksquashfs || fail "Could not build squashfskit"
)
MKSQUASHFS="$BUILDDIR/squashfskit/squashfs-tools/mksquashfs"
diff --git a/contrib/build-wine/prepare-wine.sh b/contrib/build-wine/prepare-wine.sh
@@ -10,11 +10,11 @@ ZBAR_URL=https://sourceforge.net/projects/zbarw/files/$ZBAR_FILENAME/download
ZBAR_SHA256=177e32b272fa76528a3af486b74e9cb356707be1c5ace4ed3fcee9723e2c2c02
LIBUSB_REPO="https://github.com/libusb/libusb.git"
-LIBUSB_COMMIT=e782eeb2514266f6738e242cdcb18e3ae1ed06fa
+LIBUSB_COMMIT="e782eeb2514266f6738e242cdcb18e3ae1ed06fa"
# ^ tag v1.0.23
PYINSTALLER_REPO="https://github.com/SomberNight/pyinstaller.git"
-PYINSTALLER_COMMIT=e934539374e30d1500fcdbe8e4eb0860413935b2
+PYINSTALLER_COMMIT="e934539374e30d1500fcdbe8e4eb0860413935b2"
# ^ tag 3.6, plus a custom commit that fixes cross-compilation with MinGW
PYTHON_VERSION=3.7.7
@@ -88,7 +88,7 @@ info "Compiling libusb..."
git init
git remote add origin $LIBUSB_REPO
git fetch --depth 1 origin $LIBUSB_COMMIT
- git checkout -b pinned FETCH_HEAD
+ git checkout -b pinned "${LIBUSB_COMMIT}^{commit}"
echo "libusb_1_0_la_LDFLAGS += -Wc,-static" >> libusb/Makefile.am
./bootstrap.sh || fail "Could not bootstrap libusb"
host="i686-w64-mingw32"
@@ -119,7 +119,7 @@ info "Building PyInstaller."
git init
git remote add origin $PYINSTALLER_REPO
git fetch --depth 1 origin $PYINSTALLER_COMMIT
- git checkout -b pinned FETCH_HEAD
+ git checkout -b pinned "${$PYINSTALLER_COMMIT}^{commit}"
rm -fv PyInstaller/bootloader/Windows-*/run*.exe || true
# add reproducible randomness. this ensures we build a different bootloader for each commit.
# if we built the same one for all releases, that might also get anti-virus false positives
diff --git a/contrib/make_libsecp256k1.sh b/contrib/make_libsecp256k1.sh
@@ -35,7 +35,7 @@ info "Building $pkgname..."
fi
git reset --hard
git clean -f -x -q
- git checkout $LIBSECP_VERSION
+ git checkout "${LIBSECP_VERSION}^{commit}"
if ! [ -x configure ] ; then
echo "libsecp256k1_la_LDFLAGS = -no-undefined" >> Makefile.am
