From 6b7aa566ef292ef162e9f29dbd059fb74f761df5 Mon Sep 17 00:00:00 2001
From: Erik Arvstedt <erik.arvstedt@gmail.com>
Date: Wed, 20 Oct 2021 21:57:40 +0200
Subject: [PATCH] electrs/update.sh: ensure tag is checked out

Cloning a tag-named branch introduced a supply chain attack vector,
because branch and tag contents might differ.
Now the hashed worktree always corresponds to the tag that is GPG-verified.
---
 pkgs/applications/blockchains/electrs/update.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkgs/applications/blockchains/electrs/update.sh b/pkgs/applications/blockchains/electrs/update.sh
index 3e4d90db59de..14105d71a448 100755
--- a/pkgs/applications/blockchains/electrs/update.sh
+++ b/pkgs/applications/blockchains/electrs/update.sh
@@ -21,6 +21,7 @@ repo=$tmpdir/repo
 trap "rm -rf $tmpdir" EXIT
 
 git clone --depth 1 --branch v${version} -c advice.detachedHead=false https://github.com/romanz/electrs $repo
+git -C $repo checkout tags/v${version}
 
 export GNUPGHOME=$tmpdir
 echo