git sanity: enforce "git checkout commithash" actually pulls commit

If there is a collision between a branch name and a commit hash, git
will choose the branch, even if the full 40-hex-long commit hash is
given. GitHub disallows branches/tags with such a name but git itself
does not. By adding the `^{commit}` syntax sugar after a ref name,
we can tell git that we want the commit hash to be preferred,
and hence we don't need to trust GitHub (only git).

see https://security.stackexchange.com/questions/225411/

contrib/android/Dockerfile

@@ -154,7 +154,7 @@ RUN cd /opt \
     && cd buildozer \
     && git remote add sombernight https://github.com/SomberNight/buildozer \
     && git fetch --all \
-    && git checkout d0323c165dd5d9aa23d5eb01044474fe006c3420 \
+    && git checkout "d0323c165dd5d9aa23d5eb01044474fe006c3420^{commit}" \
     && python3 -m pip install --user -e .
 
 # install python-for-android
@@ -163,7 +163,7 @@ RUN cd /opt \
     && cd python-for-android \
     && git remote add sombernight https://github.com/SomberNight/python-for-android \
     && git fetch --all \
-    && git checkout cef08b92268fe69ef331699c2205cbb091e730f0 \
+    && git checkout "cef08b92268fe69ef331699c2205cbb091e730f0^{commit}" \
     && python3 -m pip install --user -e .
 
 # build env vars

contrib/build-linux/appimage/build.sh

@@ -71,7 +71,7 @@ info "Building squashfskit"
 git clone "https://github.com/squashfskit/squashfskit.git" "$BUILDDIR/squashfskit"
 (
     cd "$BUILDDIR/squashfskit"
-    git checkout "$SQUASHFSKIT_COMMIT"
+    git checkout "${SQUASHFSKIT_COMMIT}^{commit}"
     make -C squashfs-tools mksquashfs || fail "Could not build squashfskit"
 )
 MKSQUASHFS="$BUILDDIR/squashfskit/squashfs-tools/mksquashfs"

contrib/build-wine/prepare-wine.sh

@@ -10,11 +10,11 @@ ZBAR_URL=https://sourceforge.net/projects/zbarw/files/$ZBAR_FILENAME/download
 ZBAR_SHA256=177e32b272fa76528a3af486b74e9cb356707be1c5ace4ed3fcee9723e2c2c02
 
 LIBUSB_REPO="https://github.com/libusb/libusb.git"
-LIBUSB_COMMIT=e782eeb2514266f6738e242cdcb18e3ae1ed06fa
+LIBUSB_COMMIT="e782eeb2514266f6738e242cdcb18e3ae1ed06fa"
 # ^ tag v1.0.23
 
 PYINSTALLER_REPO="https://github.com/SomberNight/pyinstaller.git"
-PYINSTALLER_COMMIT=e934539374e30d1500fcdbe8e4eb0860413935b2
+PYINSTALLER_COMMIT="e934539374e30d1500fcdbe8e4eb0860413935b2"
 # ^ tag 3.6, plus a custom commit that fixes cross-compilation with MinGW
 
 PYTHON_VERSION=3.7.7
@@ -88,7 +88,7 @@ info "Compiling libusb..."
     git init
     git remote add origin $LIBUSB_REPO
     git fetch --depth 1 origin $LIBUSB_COMMIT
-    git checkout -b pinned FETCH_HEAD
+    git checkout -b pinned "${LIBUSB_COMMIT}^{commit}"
     echo "libusb_1_0_la_LDFLAGS += -Wc,-static" >> libusb/Makefile.am
     ./bootstrap.sh || fail "Could not bootstrap libusb"
     host="i686-w64-mingw32"
@@ -119,7 +119,7 @@ info "Building PyInstaller."
     git init
     git remote add origin $PYINSTALLER_REPO
     git fetch --depth 1 origin $PYINSTALLER_COMMIT
-    git checkout -b pinned FETCH_HEAD
+    git checkout -b pinned "${$PYINSTALLER_COMMIT}^{commit}"
     rm -fv PyInstaller/bootloader/Windows-*/run*.exe || true
     # add reproducible randomness. this ensures we build a different bootloader for each commit.
     # if we built the same one for all releases, that might also get anti-virus false positives

contrib/make_libsecp256k1.sh

@@ -35,7 +35,7 @@ info "Building $pkgname..."
     fi
     git reset --hard
     git clean -f -x -q
-    git checkout $LIBSECP_VERSION
+    git checkout "${LIBSECP_VERSION}^{commit}"
 
     if ! [ -x configure ] ; then
         echo "libsecp256k1_la_LDFLAGS = -no-undefined" >> Makefile.am