refactor(signer): Rework tagging (#234)

Dockerfile

@@ -84,17 +84,10 @@ FROM builder AS build-signer
 COPY src src
 COPY dfx.json dfx.json
 COPY canister_ids.json canister_ids.json
-COPY scripts/build.signer.sh scripts/build.signer.args.sh scripts/
-COPY target/commit target/commit
+COPY scripts/build.signer.sh scripts/build.signer.args.sh scripts/build.signer.report.sh scripts/
+COPY target/commit target/tags target/
 RUN touch src/*/src/*.rs
 RUN dfx build --ic signer
-RUN cp out/signer.wasm.gz out/signer.args.did out/signer.args.bin out/signer.did /
-RUN cp target/commit commit
-RUN sha256sum /signer.wasm.gz /signer.args.did /signer.args.bin signer.did
 
 FROM scratch AS signer
-COPY --from=build-signer /signer.wasm.gz /
-COPY --from=build-signer /signer.args.did /
-COPY --from=build-signer /signer.args.bin /
-COPY --from=build-signer /signer.did /
-COPY --from=build-signer /commit /
+COPY --from=build-signer out/ /

dfx.json

@@ -11,8 +11,15 @@
 					"name": "candid:service"
 				},
 				{
-					"name": "git_commit_id",
+					"name": "candid:args"
+				},
+				{
+					"name": "git:commit",
 					"path": "target/commit"
+				},
+				{
+					"name": "git:tags",
+					"path": "target/tags.semver"
 				}
 			],
 			"specified_id": "grghe-syaaa-aaaar-qabyq-cai",

scripts/build.signer.args.sh

@@ -63,8 +63,9 @@ cat <<EOF >"$ARG_FILE"
 EOF
 
 # ... Also create the binary file, for use in proposals
+ARG_HEX="${ARG_FILE%.did}.hex"
 ARG_BIN="${ARG_FILE%.did}.bin"
-didc encode "$(cat "$ARG_FILE")" | xxd -r -p >"$ARG_BIN"
+didc encode "$(cat "$ARG_FILE")" | tee "$ARG_HEX" | xxd -r -p >"$ARG_BIN"
 
 ####
 # Success

scripts/build.signer.report.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Hash the files:
+sha256sum out/signer* >out/filelist.txt
+# Get the metadata keys:
+ic-wasm <(gunzip <./out/signer.wasm.gz) metadata >out/metadata_keys.txt
+# Write a report
+{
+  printf "\nAssets:\n"
+  cat out/filelist.txt
+  printf "\nMetadata keys:\n"
+  cat out/metadata_keys.txt
+  printf "%s\n" "" "To see metadata, use ic-wasm.  For example, to see the git tags:" " ic-wasm <(gunzip < ./out/signer.wasm.gz) metadata git:tags" ""
+} | tee out/report.txt

scripts/build.signer.sh

@@ -21,22 +21,34 @@ print_help() {
 DFX_NETWORK="${DFX_NETWORK:-local}"
 
 CANDID_FILE="$(jq -r .canisters.signer.candid dfx.json)"
+ARGS_FILE="$(jq -r .canisters.signer.init_arg_file dfx.json)"
 WASM_FILE="$(jq -r .canisters.signer.wasm dfx.json)"
-ARG_FILE="$(jq -r .canisters.signer.init_arg_file dfx.json)"
 BUILD_DIR="target/wasm32-unknown-unknown/release"
 COMMIT_FILE="target/commit"
+TAGS_FILE="target/tags"
 
 ####
-# Builds the Wasm without metadata
-cargo build --locked --target wasm32-unknown-unknown --release -p signer
+# Computes the install args, overwriting any existing args file.
+./scripts/build.signer.args.sh
+
+####
+# Adds the candid file to the output directory
+cp src/signer/canister/signer.did out/
 
 ####
 # Gets commit and tag information, if available.
+mkdir -p target
 if test -d .git; then
-  scripts/commit-metadata >"$COMMIT_FILE"
+  scripts/commit-metadata
 else
-  touch "$COMMIT_FILE"
+  touch "$COMMIT_FILE" "$TAGS_FILE"
 fi
+# Keep just the tags with semantic versions
+grep -E '^v[0-9]' "$TAGS_FILE" >"${TAGS_FILE}.semver" || true # No match is fine.
+
+####
+# Builds the Wasm without metadata
+cargo build --locked --target wasm32-unknown-unknown --release -p signer
 
 ####
 # Builds the candid file
@@ -51,27 +63,16 @@ ic-wasm \
   shrink
 
 # adds the content of $canister.did to the `icp:public candid:service` custom section of the public metadata in the wasm
-ic-wasm "$BUILD_DIR/signer.optimized.wasm" -o "$BUILD_DIR/signer.candid.wasm" metadata candid:service -f "$CANDID_FILE" -v public
-ic-wasm "$BUILD_DIR/signer.candid.wasm" -o "$BUILD_DIR/signer.metadata.wasm" metadata git_commit_id -f "$COMMIT_FILE" -v public
+ic-wasm "$BUILD_DIR/signer.optimized.wasm" -o "$BUILD_DIR/signer.service.wasm" metadata candid:service -f "$CANDID_FILE" -v public
+ic-wasm "$BUILD_DIR/signer.service.wasm" -o "$BUILD_DIR/signer.args.wasm" metadata candid:args -f "$ARGS_FILE" -v public
+ic-wasm "$BUILD_DIR/signer.args.wasm" -o "$BUILD_DIR/signer.commit.wasm" metadata git:commit -f "$COMMIT_FILE" -v public
+ic-wasm "$BUILD_DIR/signer.commit.wasm" -o "$BUILD_DIR/signer.metadata.wasm" metadata git:tags -f "${TAGS_FILE}.semver" -v public
 
 gzip -fn "$BUILD_DIR/signer.metadata.wasm"
 
 mkdir -p "$(dirname "$WASM_FILE")"
 mv "$BUILD_DIR/signer.metadata.wasm.gz" "$WASM_FILE"
 
-####
-# Computes the install args, overwriting any existing args file.
-./scripts/build.signer.args.sh
-
-####
-# Adds the candid file to the output directory
-cp src/signer/canister/signer.did out/
-
 ####
 # Success
-cat <<EOF
-SUCCESS: The signer installation files have been created:
-signer candid:       $(sha256sum "$CANDID_FILE")
-signer Wasm:         $(sha256sum "$WASM_FILE")
-signer install args: $(sha256sum "$ARG_FILE")
-EOF
+scripts/build.signer.report.sh

scripts/commit-metadata

@@ -3,4 +3,5 @@
 
 # The $ in the single quotes is intentional; it matches the end of the file.
 # shellcheck disable=SC2016
-echo "$(git rev-parse HEAD)$(git tag -l --contains HEAD | sed -nE '/^v[0-9]/{s/^/ /g;H};${x;s/\n//g;p}')"
+git rev-parse HEAD >target/commit
+git tag -l --contains HEAD >target/tags

scripts/docker-build

@@ -42,6 +42,8 @@ if [[ "${1:-}" == "--help" ]]; then
   exit 0
 fi
 
+rm -fr "${OUTDIR}"
+
 scripts/docker-build.pre
 
 if DOCKER_BUILDKIT=1 docker build \
@@ -51,7 +53,7 @@ if DOCKER_BUILDKIT=1 docker build \
   -o "$OUTDIR" . \
   "${@+${@}}"; then
   echo "SUCCESS: Docker build has succeeded."
-  scripts/docker-hashes
+  cat out/report.txt
 else
   set +x
   {

scripts/docker-build.pre

@@ -5,4 +5,4 @@
 
 set -euxo pipefail
 mkdir -p target
-scripts/commit-metadata >target/commit
+scripts/commit-metadata

scripts/proposal-template

@@ -25,7 +25,7 @@ cd "$SOURCE_DIR/.."
 export DFX_NETWORK
 
 # If the currently deployed git ref is not specified, get it from the canister metadata.
-test -n "${PROD_REF:-}" || PROD_REF="$(dfx canister metadata signer git_commit_id --network "$DFX_NETWORK" | awk '{print $1}')"
+test -n "${PROD_REF:-}" || PROD_REF="$(dfx canister metadata signer git:commit --network "$DFX_NETWORK")"
 
 RELEASE_GITHUB_URL="$(gh release view "$RELEASE_CANDIDATE_TAG" --json url -q .url)"
 OUTPUT_PROPOSAL="release/PROPOSAL.md"
@@ -79,8 +79,8 @@ $(bash -c "git log --format='%C(auto) %h %s' $(git rev-parse --short "$PROD_REF"
 To build the wasm module yourself and verify its hash, run the following commands from the root of the [Chain Fusion Signer repo](https://github.com/dfinity/chain-fusion-signer):
 
 \`\`\`
-git fetch  # to ensure you have the latest changes.
-git checkout "$(git rev-parse "$RELEASE_CANDIDATE_TAG")"
+git fetch --tags # to ensure you have the latest changes.
+git checkout tags/$RELEASE_CANDIDATE_TAG
 ./scripts/docker-build
 \`\`\`
 

scripts/proposal-template.test.proposal.txt

@@ -84,8 +84,8 @@ The chain fusion signer is a canister that makes the internet computer threshold
 To build the wasm module yourself and verify its hash, run the following commands from the root of the [Chain Fusion Signer repo](https://github.com/dfinity/chain-fusion-signer):
 
 ```
-git fetch  # to ensure you have the latest changes.
-git checkout "e1c36f468c7b78e851332cc7dae0bfce6bc8f886"
+git fetch --tags # to ensure you have the latest changes.
+git checkout tags/v0.2.8
 ./scripts/docker-build
 ```
 

scripts/report

@@ -12,7 +12,10 @@ set -euo pipefail
 }
 
 report_git_ref() {
-  dfx canister metadata signer git_commit_id --network "$DFX_NETWORK"
+  dfx canister metadata signer git:commit --network "$DFX_NETWORK"
+}
+report_git_tag() {
+  dfx canister metadata signer git:tags --network "$DFX_NETWORK"
 }
 report_args() {
   dfx canister call signer config --network "$DFX_NETWORK"
@@ -24,6 +27,7 @@ report() {
   hrule
   echo "network: $DFX_NETWORK"
   echo "git ref: $(report_git_ref)"
+  echo "git tag: $(report_git_tag)"
   echo "args:"
   report_args
   echo