Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bisq2: init at 2.1.2 #347160

Merged
merged 1 commit into from
Oct 31, 2024
+173 −0
Merged

bisq2: init at 2.1.2 #347160

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
169 changes: 169 additions & 0 deletions pkgs/by-name/bi/bisq/package.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,169 @@
{
stdenvNoCC,
lib,
makeWrapper,
runtimeShell,
fetchurl,
makeDesktopItem,
copyDesktopItems,
imagemagick,
openjdk,
dpkg,
writeScript,
bash,
tor,
zip,
gnupg,
}:

let
version = "2.1.2";

bisq-launcher =
args:
writeScript "bisq-launcher" ''
#! ${runtimeShell}

# This is just a comment to convince Nix that Tor is a
# runtime dependency; The Tor binary is in a *.jar file,
# whereas Nix only scans for hashes in uncompressed text.
# ${lib.getExe' tor "tor"}

rm -fR $HOME/.local/share/Bisq2/tor

exec "${lib.getExe openjdk}" -Djpackage.app-version=@version@ -classpath @out@/lib/app/desktop-app-launcher.jar:@out@/lib/app/* ${args} bisq.desktop_app_launcher.DesktopAppLauncher "$@"
'';

# A given release will be signed by either Alejandro Garcia or Henrik Jannsen
# as indicated in the file
# https://github.com/bisq-network/bisq2/releases/download/v${version}/signingkey.asc
publicKey =
{
"E222AA02" = fetchurl {
url = "https://github.com/bisq-network/bisq2/releases/download/v${version}/E222AA02.asc";
sha256 = "sha256-31uBpe/+0QQwFyAsoCt1TUWRm0PHfCFOGOx1M16efoE=";
};

"387C8307" = fetchurl {
url = "https://github.com/bisq-network/bisq2/releases/download/v${version}/387C8307.asc";
sha256 = "sha256-PrRYZLT0xv82dUscOBgQGKNf6zwzWUDhriAffZbNpmI=";
};
}
."387C8307";
in
stdenvNoCC.mkDerivation rec {
inherit version;

pname = "bisq2";

src = fetchurl {
url = "https://github.com/bisq-network/bisq2/releases/download/v${version}/Bisq-${version}.deb";
sha256 = "0zgv70xlz3c9mrwmiaa1dgagbc441ppk2vrkgard8zjrvk8rg7va";

# Verify the upstream Debian package prior to extraction.
# See https://bisq.wiki/Bisq_2#Installation
# This ensures that a successful build of this Nix package requires the Debian
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a good idea except that when the key expires it will break and be no longer reproducible.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When I was planning out this package it was my intention to make it reproducible. However, I had not considered the impact of an expiring key.

I performed a test to see what happens when an expired key is used to verify a signature:

❯ gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
/home/emmanuel/projects/gpgtest/./gnupg/pubring.kbx
---------------------------------------------------
pub   ed25519 2024-10-28 [SC] [expired: 2024-10-29]
      8A9DE59F1481A17B052F4746C325905B2798233C
uid           [ expired] test <[email protected]>

❯ gpg --verify you-didnt-come-this-far.jpg.sig
gpg: assuming signed data in 'you-didnt-come-this-far.jpg'
gpg: Signature made Mon 28 Oct 2024 04:02:14 PM EDT
gpg:                using EDDSA key 8A9DE59F1481A17B052F4746C325905B2798233C
gpg: Good signature from "test <[email protected]>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 8A9D E59F 1481 A17B 052F  4746 C325 905B 2798 233C

~/projects/gpgtest
❯ echo $?
0

The test shows that an expired key does not affect verification.

Now that upstream started adding the keys to the Github release assets, I modified the package to use those. That should also help ensure the builds are reproducible.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it factor in that the signing was done before the key expired?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I can tell, there's no way to ensure that a signature was created prior to the key expiring.

GPG does refuse to create a signature using an expired key, but certainly that refusal can be circumvented.

This reveals a weakness in the verification process since there's no way to tell if upstream's deb package was signed with an expired key or not. If I were to modify the package to fail upon detecting an expired key, then it would prevent old versions of the package from building.

Since I have the two public keys in my key ring, I can manually check the expiration dates when updating this package, as a form of mitigation.

# package to pass verification.
nativeBuildInputs = [ gnupg ];
downloadToTemp = true;

postFetch = ''
pushd $(mktemp -d)
export GNUPGHOME=./gnupg
mkdir -m 700 -p $GNUPGHOME
ln -s $downloadedFile ./Bisq-${version}.deb
ln -s ${signature} ./signature.asc
gpg --import ${publicKey}
gpg --batch --verify signature.asc Bisq-${version}.deb
popd
mv $downloadedFile $out
'';
};

signature = fetchurl {
url = "https://github.com/bisq-network/bisq2/releases/download/v${version}/Bisq-${version}.deb.asc";
sha256 = "sha256-WZhI8RDmb7nQqpCQJM86vrp8qQNg+mvRVdSPcDqgzxE=";
};

nativeBuildInputs = [
copyDesktopItems
dpkg
imagemagick
makeWrapper
zip
gnupg
makeWrapper
];

desktopItems = [
(makeDesktopItem {
name = "bisq2";
exec = "bisq2";
icon = "bisq2";
desktopName = "Bisq 2";
genericName = "Decentralized bitcoin exchange";
categories = [
"Network"
"P2P"
];
})

(makeDesktopItem {
name = "bisq2-hidpi";
exec = "bisq2-hidpi";
icon = "bisq2";
desktopName = "Bisq 2 (HiDPI)";
genericName = "Decentralized bitcoin exchange";
categories = [
"Network"
"P2P"
];
})
];

unpackPhase = ''
dpkg -x $src .
'';

buildPhase = ''
# Replace the Tor binary embedded in tor.jar (which is in the zip archive tor.zip)
# with the Tor binary from Nixpkgs.

makeWrapper ${lib.getExe' tor "tor"} ./tor
zip tor.zip ./tor
zip opt/bisq2/lib/app/tor.jar tor.zip
'';

installPhase = ''
runHook preInstall

mkdir -p $out/lib $out/bin
cp -r opt/bisq2/lib/app $out/lib

install -D -m 777 ${bisq-launcher ""} $out/bin/bisq2
substituteAllInPlace $out/bin/bisq2

install -D -m 777 ${bisq-launcher "-Dglass.gtk.uiScale=2.0"} $out/bin/bisq2-hidpi
substituteAllInPlace $out/bin/bisq2-hidpi

for n in 16 24 32 48 64 96 128 256; do
size=$n"x"$n
magick convert opt/bisq2/lib/Bisq2.png -resize $size bisq2.png
install -Dm644 -t $out/share/icons/hicolor/$size/apps bisq2.png
done;

runHook postInstall
'';

meta = with lib; {
description = "Decentralized bitcoin exchange network";
homepage = "https://bisq.network";
mainProgram = "bisq2";
sourceProvenance = with sourceTypes; [
binaryBytecode
];
license = licenses.mit;
maintainers = with maintainers; [ emmanuelrosa ];
platforms = [ "x86_64-linux" ];
};
}
4 changes: 4 additions & 0 deletions pkgs/top-level/all-packages.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3300,6 +3300,10 @@ with pkgs;

bisq-desktop = callPackage ../applications/blockchains/bisq-desktop { };

bisq2 = callPackage ../by-name/bi/bisq/package.nix {
openjdk = jdk22.override { enableJavaFX = true; };
};

bic = callPackage ../development/interpreters/bic { };

biscuit-cli = callPackage ../tools/security/biscuit-cli { };
Expand Down