# SPDX-License-Identifier: EUPL-1.2+
# SPDX-FileCopyrightText: 2021-2024 Alyssa Ross <hi@alyssa.is>
# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>

import ../lib/call-package.nix ({ cryptsetup, runCommand, rootfs }:
runCommand "spectrum-verity" {
  nativeBuildInputs = [ cryptsetup ];
  __structuredAttrs = true;
  unsafeDiscardReferences = { out = true; };
  dontFixup = true;
  env = { ROOTFS = rootfs; };
} ''
  mkdir -- "$out"
  veritysetup format "--root-hash-file=$out/rootfs.verity.roothash" \
    -- "$ROOTFS" "$out/rootfs.verity.superblock"
  # veritysetup doesn't append a newline, so the shell read command fails
  echo >> "$out/rootfs.verity.roothash"
  ''
) (_: {})