From b462d04a59758e93d639bc4d49a7ce0ff0a0c3b9 Mon Sep 17 00:00:00 2001
From: tobtoht <tob@featherwallet.org>
Date: Thu, 12 Oct 2023 21:50:36 +0200
Subject: [PATCH] guix: fix release archive permissions

thanks to MoneroArbo for submitting their built attestation, which lead
to the discovery of this defect
---
 contrib/flatpak/make_flatpak.sh | 12 +++++++-----
 contrib/guix/libexec/build.sh   |  6 +++++-
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/contrib/flatpak/make_flatpak.sh b/contrib/flatpak/make_flatpak.sh
index 7e12a3da..72e53e4f 100644
--- a/contrib/flatpak/make_flatpak.sh
+++ b/contrib/flatpak/make_flatpak.sh
@@ -1,5 +1,7 @@
 #!/usr/bin/env bash
-set -ex
+export LC_ALL=C
+set -ex -o pipefail
+export TZ=UTC
 
 APP_ID="org.featherwallet.Feather"
 
@@ -17,7 +19,7 @@ mkdir build
 cd build
 
 mkdir export
-cp -a /feather/contrib/flatpak/share export
+cp -r /feather/contrib/flatpak/share export
 rm -rf export/share/app-info
 
 # Copy the metadata file
@@ -33,7 +35,7 @@ cp /feather/contrib/depends/x86_64-linux-gnu/bin/startup .
 cp /feather-bin feather
 
 # Copy metadata
-cp -a /feather/contrib/flatpak/share .
+cp -r /feather/contrib/flatpak/share .
 touch --no-dereference --date="@${SOURCE_DATE_EPOCH}" share/metainfo/${APP_ID}.metainfo.xml
 gzip -c share/metainfo/${APP_ID}.metainfo.xml > share/app-info/xmls/${APP_ID}.xml.gz
 
@@ -83,10 +85,10 @@ ln -s "/${GUIX_PROFILE}/share/xml" share/xml
 # Setup profile symlink
 ln -s "/${GUIX_PROFILE}" profile
 
-chmod -R 555 .
-
 cd /tmp-output
 
+chmod -R 755 .
+
 find . -print0 \
     | xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
 find . \
diff --git a/contrib/guix/libexec/build.sh b/contrib/guix/libexec/build.sh
index d535f7c7..fa53f31f 100755
--- a/contrib/guix/libexec/build.sh
+++ b/contrib/guix/libexec/build.sh
@@ -234,7 +234,11 @@ GIT_ARCHIVE="${DIST_ARCHIVE_BASE}/${DISTNAME}.tar.gz"
 if [ ! -e "$GIT_ARCHIVE" ]; then
     mkdir -p "$(dirname "$GIT_ARCHIVE")"
     git rev-parse --short=12 HEAD > githash.txt
-    ( git ls-files --recurse-submodules ; echo "githash.txt" ) | cat | tar --transform "s,^,${DISTNAME}/," -caf ${GIT_ARCHIVE} -T-
+    ( git ls-files --recurse-submodules ; echo "githash.txt" ) \
+    | cat \
+    | sort \
+    | tar --create --transform "s,^,${DISTNAME}/," --mode='u+rw,go+r-w,a+X' --files-from=- \
+    | gzip -9n > ${GIT_ARCHIVE}
     sha256sum "$GIT_ARCHIVE"
 fi
 
-- 
2.52.0