git sanity: enforce "git checkout commithash" actually pulls commit

If there is a collision between a branch name and a commit hash, git will choose the branch, even if the full 40-hex-long commit hash is given. GitHub disallows branches/tags with such a name but git itself does not. By adding the `^{commit}` syntax sugar after a ref name, we can tell git that we want the commit hash to be preferred, and hence we don't need to trust GitHub (only git). see https://security.stackexchange.com/questions/225411/
5 years ago · f5f3394552
4 changed files with 8 additions and 8 deletions
--- a/contrib/android/Dockerfile
+++ b/contrib/android/Dockerfile
@ -154,7 +154,7 @@ RUN cd /opt \
    && cd buildozer \
    && git remote add sombernight https://github.com/SomberNight/buildozer \
    && git fetch --all \
-    && git checkout d0323c165dd5d9aa23d5eb01044474fe006c3420 \
+    && git checkout "d0323c165dd5d9aa23d5eb01044474fe006c3420^{commit}" \
    && python3 -m pip install --user -e .
 # install python-for-android
@ -163,7 +163,7 @@ RUN cd /opt \
    && cd python-for-android \
    && git remote add sombernight https://github.com/SomberNight/python-for-android \
    && git fetch --all \
-    && git checkout cef08b92268fe69ef331699c2205cbb091e730f0 \
+    && git checkout "cef08b92268fe69ef331699c2205cbb091e730f0^{commit}" \
    && python3 -m pip install --user -e .
 # build env vars
--- a/contrib/build-linux/appimage/build.sh
+++ b/contrib/build-linux/appimage/build.sh
@ -71,7 +71,7 @@ info "Building squashfskit"
 git clone "https://github.com/squashfskit/squashfskit.git" "$BUILDDIR/squashfskit"
 (
    cd "$BUILDDIR/squashfskit"
-    git checkout "$SQUASHFSKIT_COMMIT"
+    git checkout "${SQUASHFSKIT_COMMIT}^{commit}"
    make -C squashfs-tools mksquashfs || fail "Could not build squashfskit"
 )
 MKSQUASHFS="$BUILDDIR/squashfskit/squashfs-tools/mksquashfs"
--- a/contrib/build-wine/prepare-wine.sh
+++ b/contrib/build-wine/prepare-wine.sh
@ -10,11 +10,11 @@ ZBAR_URL=https://sourceforge.net/projects/zbarw/files/$ZBAR_FILENAME/download
 ZBAR_SHA256=177e32b272fa76528a3af486b74e9cb356707be1c5ace4ed3fcee9723e2c2c02
 LIBUSB_REPO="https://github.com/libusb/libusb.git"
-LIBUSB_COMMIT=e782eeb2514266f6738e242cdcb18e3ae1ed06fa
+LIBUSB_COMMIT="e782eeb2514266f6738e242cdcb18e3ae1ed06fa"
 # ^ tag v1.0.23
 PYINSTALLER_REPO="https://github.com/SomberNight/pyinstaller.git"
-PYINSTALLER_COMMIT=e934539374e30d1500fcdbe8e4eb0860413935b2
+PYINSTALLER_COMMIT="e934539374e30d1500fcdbe8e4eb0860413935b2"
 # ^ tag 3.6, plus a custom commit that fixes cross-compilation with MinGW
 PYTHON_VERSION=3.7.7
@ -88,7 +88,7 @@ info "Compiling libusb..."
    git init
    git remote add origin $LIBUSB_REPO
    git fetch --depth 1 origin $LIBUSB_COMMIT
-    git checkout -b pinned FETCH_HEAD
+    git checkout -b pinned "${LIBUSB_COMMIT}^{commit}"
    echo "libusb_1_0_la_LDFLAGS += -Wc,-static" >> libusb/Makefile.am
    ./bootstrap.sh || fail "Could not bootstrap libusb"
    host="i686-w64-mingw32"
@ -119,7 +119,7 @@ info "Building PyInstaller."
    git init
    git remote add origin $PYINSTALLER_REPO
    git fetch --depth 1 origin $PYINSTALLER_COMMIT
-    git checkout -b pinned FETCH_HEAD
+    git checkout -b pinned "${$PYINSTALLER_COMMIT}^{commit}"
    rm -fv PyInstaller/bootloader/Windows-*/run*.exe || true
    # add reproducible randomness. this ensures we build a different bootloader for each commit.
    # if we built the same one for all releases, that might also get anti-virus false positives
--- a/contrib/make_libsecp256k1.sh
+++ b/contrib/make_libsecp256k1.sh
@ -35,7 +35,7 @@ info "Building $pkgname..."
    fi
    git reset --hard
    git clean -f -x -q
-    git checkout $LIBSECP_VERSION
+    git checkout "${LIBSECP_VERSION}^{commit}"
    if ! [ -x configure ] ; then
        echo "libsecp256k1_la_LDFLAGS = -no-undefined" >> Makefile.am