Generate checksums for release artifacts in CI

One of the major complains surrounding the recent XZ fiasco is that
auto-tools generated source files include so much obtuse code that they
are difficult to audit. Also it isn't immediately apparent what sources
they have been generated from. In our case we're generating the source
dist files in CI anyway and automatically attaching them to releases,
but GH does not make it possible to verify this. They could just as well
be reposted later by a malicious maintainer.

This is not a magic bullet to fix all that, but it should help. The CI
environment can be verified by looking at the workflow file and the
other Git sources so we're not using a modified version of autotools or
anything like that. Checksums are now being generated after making the
distribution tarballs, and *echoed to the output log* so it is possible
to verify that the files generated in CI are actually still the ones
attached to the release. The checksums file is also posted to the
release.

Author: alerque

.github/workflows/build.yml

@@ -20,6 +20,7 @@ jobs:
           ./configure --with-standalone --bindir=/
           make DESTDIR=. install-exec
           echo VERSION=$(cat .version) >> $GITHUB_ENV
+          sha256sum vcsh-standalone.sh
       - name: Post standalone script artifact
         uses: actions/upload-artifact@v4
         with:

.github/workflows/release.yml

@@ -43,6 +43,7 @@ jobs:
           files: |
             vcsh-${{ env.VERSION }}.tar.zst
             vcsh-${{ env.VERSION }}.zip
+            vcsh-${{ env.VERSION }}.sha256.txt
 
   deploy-standalone:
     runs-on: ubuntu-latest
@@ -56,9 +57,11 @@ jobs:
           ./bootstrap.sh
           ./configure --with-standalone --bindir=/
           make DESTDIR=. install-exec
+          sha256sum vcsh-standalone.sh | tee vcsh-standalone.sha256.txt
       - name: Add standalone deployment to release
         uses: svenstaro/upload-release-action@v2
         with:
           repo_token: ${{ github.token }}
-          file: vcsh-standalone.sh
           tag: ${{ github.ref }}
+          file_glob: true
+          file: vcsh-standalone.{sh,sha256.txt}

Makefile.am

@@ -24,6 +24,7 @@ BUILT_SOURCES =
 CLEANFILES = $(dist_man_MANS) $(bin_SCRIPTS)
 
 include $(top_srcdir)/build-aux/git_version.mk
+include $(top_srcdir)/build-aux/dist_checksums.mk
 include $(top_srcdir)/build-aux/shell_completion_dirs.mk
 
 if !IS_SDIST

build-aux/ax_dist_checksums.m4

@@ -0,0 +1,6 @@
+AC_DEFUN([AX_DIST_CHECKSUMS], [
+
+        AX_PROGVAR([sha256sum])
+        AX_PROGVAR([tee])
+
+])

build-aux/dist_checksums.mk

@@ -0,0 +1,13 @@
+# Output both a file that can be attatched to releases and also write STDOUT
+# for the sake of CI build logs so they can be audited as matching what is
+# eventually posted. The list of files checksummed is a glob (even though we
+# know an exact pattern) to avoid errors for formats not generated.
+checksum_dist = \
+	shopt -s nullglob ; \
+	$(SHA256SUM) $(distdir)*.{tar.{gz,bz2,lz,xz,zst},zip} |\
+		$(TEE) $(distdir).sha256.txt
+
+CLEANFILES += $(distdir).sha256.txt
+
+# Append checksum operation to function that runs after compressing dist archives
+am__post_remove_distdir = $(am__remove_distdir); $(checksum_dist)

configure.ac

@@ -28,9 +28,10 @@ AC_ARG_WITH([standalone],
             ],
             [])
 
-# These three macros must be run after processing our standalone setup because
+# These macros must be run after processing our standalone setup because
 # they all expect the program name transformation setup to be complete.
 AX_GIT_VERSION
+AX_DIST_CHECKSUMS
 AX_SHELL_COMPLETION_DIRS
 AX_TRANSFORM_PACKAGE_NAME