2011-10-10 23:11:08 +02:00
|
|
|
|
package Nix::Manifest;
|
|
|
|
|
|
2014-08-20 17:00:17 +02:00
|
|
|
|
use utf8;
|
2003-12-05 12:25:38 +01:00
|
|
|
|
use strict;
|
2011-04-11 01:22:46 +02:00
|
|
|
|
use DBI;
|
2013-10-24 19:10:38 +02:00
|
|
|
|
use DBD::SQLite;
|
2011-04-11 01:22:46 +02:00
|
|
|
|
use Cwd;
|
|
|
|
|
use File::stat;
|
2011-04-11 10:06:14 +02:00
|
|
|
|
use File::Path;
|
2011-04-11 14:40:13 +02:00
|
|
|
|
use Fcntl ':flock';
|
2015-02-04 16:43:32 +01:00
|
|
|
|
use MIME::Base64;
|
2011-10-10 23:11:08 +02:00
|
|
|
|
use Nix::Config;
|
2015-02-04 16:43:32 +01:00
|
|
|
|
use Nix::Store;
|
2011-10-10 23:11:08 +02:00
|
|
|
|
|
|
|
|
|
our @ISA = qw(Exporter);
|
2016-04-11 14:16:56 +02:00
|
|
|
|
our @EXPORT = qw(readManifest writeManifest addPatch parseNARInfo fingerprintPath);
|
2003-12-05 12:25:38 +01:00
|
|
|
|
|
2004-12-28 22:11:28 +01:00
|
|
|
|
|
2011-04-11 15:16:54 +02:00
|
|
|
|
sub addNAR {
|
|
|
|
|
my ($narFiles, $storePath, $info) = @_;
|
2012-09-13 17:35:46 +02:00
|
|
|
|
|
2011-04-11 15:16:54 +02:00
|
|
|
|
$$narFiles{$storePath} = []
|
|
|
|
|
unless defined $$narFiles{$storePath};
|
|
|
|
|
|
|
|
|
|
my $narFileList = $$narFiles{$storePath};
|
|
|
|
|
|
|
|
|
|
my $found = 0;
|
|
|
|
|
foreach my $narFile (@{$narFileList}) {
|
|
|
|
|
$found = 1 if $narFile->{url} eq $info->{url};
|
|
|
|
|
}
|
2012-09-13 17:35:46 +02:00
|
|
|
|
|
2011-04-11 15:16:54 +02:00
|
|
|
|
push @{$narFileList}, $info if !$found;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2004-12-29 19:58:15 +01:00
|
|
|
|
sub addPatch {
|
2009-04-16 11:27:33 +02:00
|
|
|
|
my ($patches, $storePath, $patch) = @_;
|
2004-12-29 19:58:15 +01:00
|
|
|
|
|
|
|
|
|
$$patches{$storePath} = []
|
|
|
|
|
unless defined $$patches{$storePath};
|
|
|
|
|
|
|
|
|
|
my $patchList = $$patches{$storePath};
|
|
|
|
|
|
|
|
|
|
my $found = 0;
|
|
|
|
|
foreach my $patch2 (@{$patchList}) {
|
2009-03-19 10:47:34 +01:00
|
|
|
|
$found = 1 if
|
|
|
|
|
$patch2->{url} eq $patch->{url} &&
|
|
|
|
|
$patch2->{basePath} eq $patch->{basePath};
|
2004-12-29 19:58:15 +01:00
|
|
|
|
}
|
2012-09-13 17:35:46 +02:00
|
|
|
|
|
2004-12-29 23:17:26 +01:00
|
|
|
|
push @{$patchList}, $patch if !$found;
|
|
|
|
|
|
|
|
|
|
return !$found;
|
2004-12-29 19:58:15 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2011-04-11 15:16:54 +02:00
|
|
|
|
sub readManifest_ {
|
|
|
|
|
my ($manifest, $addNAR, $addPatch) = @_;
|
2003-12-05 12:25:38 +01:00
|
|
|
|
|
2011-11-16 17:25:38 +01:00
|
|
|
|
# Decompress the manifest if necessary.
|
|
|
|
|
if ($manifest =~ /\.bz2$/) {
|
|
|
|
|
open MANIFEST, "$Nix::Config::bzip2 -d < $manifest |"
|
2016-11-26 00:37:43 +01:00
|
|
|
|
or die "cannot decompress ‘$manifest’: $!";
|
2011-11-16 17:25:38 +01:00
|
|
|
|
} else {
|
|
|
|
|
open MANIFEST, "<$manifest"
|
2016-11-26 00:37:43 +01:00
|
|
|
|
or die "cannot open ‘$manifest’: $!";
|
2011-11-16 17:25:38 +01:00
|
|
|
|
}
|
2003-12-05 12:25:38 +01:00
|
|
|
|
|
|
|
|
|
my $inside = 0;
|
2004-12-13 14:47:38 +01:00
|
|
|
|
my $type;
|
2003-12-05 12:25:38 +01:00
|
|
|
|
|
2005-02-25 17:12:52 +01:00
|
|
|
|
my $manifestVersion = 2;
|
|
|
|
|
|
2010-11-17 15:31:42 +01:00
|
|
|
|
my ($storePath, $url, $hash, $size, $basePath, $baseHash, $patchType);
|
2012-09-19 23:33:42 +02:00
|
|
|
|
my ($narHash, $narSize, $references, $deriver, $copyFrom, $system, $compressionType);
|
2003-12-05 12:25:38 +01:00
|
|
|
|
|
|
|
|
|
while (<MANIFEST>) {
|
|
|
|
|
chomp;
|
|
|
|
|
s/\#.*$//g;
|
|
|
|
|
next if (/^$/);
|
|
|
|
|
|
|
|
|
|
if (!$inside) {
|
2004-12-28 22:11:28 +01:00
|
|
|
|
|
|
|
|
|
if (/^\s*(\w*)\s*\{$/) {
|
|
|
|
|
$type = $1;
|
|
|
|
|
$type = "narfile" if $type eq "";
|
2003-12-05 12:25:38 +01:00
|
|
|
|
$inside = 1;
|
2004-06-21 11:51:23 +02:00
|
|
|
|
undef $storePath;
|
2004-12-13 14:47:38 +01:00
|
|
|
|
undef $url;
|
2003-12-05 12:25:38 +01:00
|
|
|
|
undef $hash;
|
2004-12-28 22:11:28 +01:00
|
|
|
|
undef $size;
|
2004-12-20 17:38:50 +01:00
|
|
|
|
undef $narHash;
|
2010-11-17 15:31:42 +01:00
|
|
|
|
undef $narSize;
|
2004-12-13 14:47:38 +01:00
|
|
|
|
undef $basePath;
|
|
|
|
|
undef $baseHash;
|
|
|
|
|
undef $patchType;
|
2010-11-29 10:26:05 +01:00
|
|
|
|
undef $system;
|
2005-01-25 18:08:52 +01:00
|
|
|
|
$references = "";
|
2005-02-09 13:57:13 +01:00
|
|
|
|
$deriver = "";
|
2012-09-19 23:33:42 +02:00
|
|
|
|
$compressionType = "bzip2";
|
2012-09-13 17:35:46 +02:00
|
|
|
|
}
|
2004-12-28 22:11:28 +01:00
|
|
|
|
|
2003-12-05 12:25:38 +01:00
|
|
|
|
} else {
|
2012-09-13 17:35:46 +02:00
|
|
|
|
|
2003-12-05 12:25:38 +01:00
|
|
|
|
if (/^\}$/) {
|
|
|
|
|
$inside = 0;
|
|
|
|
|
|
2004-12-13 14:47:38 +01:00
|
|
|
|
if ($type eq "narfile") {
|
2011-04-11 15:16:54 +02:00
|
|
|
|
&$addNAR($storePath,
|
|
|
|
|
{ url => $url, hash => $hash, size => $size
|
|
|
|
|
, narHash => $narHash, narSize => $narSize
|
|
|
|
|
, references => $references
|
|
|
|
|
, deriver => $deriver
|
|
|
|
|
, system => $system
|
2012-09-19 23:33:42 +02:00
|
|
|
|
, compressionType => $compressionType
|
2011-04-11 15:16:54 +02:00
|
|
|
|
});
|
2004-12-13 14:47:38 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
elsif ($type eq "patch") {
|
2011-04-11 15:16:54 +02:00
|
|
|
|
&$addPatch($storePath,
|
2004-12-29 19:58:15 +01:00
|
|
|
|
{ url => $url, hash => $hash, size => $size
|
|
|
|
|
, basePath => $basePath, baseHash => $baseHash
|
2010-11-17 15:31:42 +01:00
|
|
|
|
, narHash => $narHash, narSize => $narSize
|
2011-04-11 01:22:46 +02:00
|
|
|
|
, patchType => $patchType
|
2011-04-11 15:16:54 +02:00
|
|
|
|
});
|
2003-12-05 12:25:38 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
2012-09-13 17:35:46 +02:00
|
|
|
|
|
2004-12-13 14:47:38 +01:00
|
|
|
|
elsif (/^\s*StorePath:\s*(\/\S+)\s*$/) { $storePath = $1; }
|
2007-01-23 17:50:19 +01:00
|
|
|
|
elsif (/^\s*CopyFrom:\s*(\/\S+)\s*$/) { $copyFrom = $1; }
|
2004-12-13 14:47:38 +01:00
|
|
|
|
elsif (/^\s*Hash:\s*(\S+)\s*$/) { $hash = $1; }
|
|
|
|
|
elsif (/^\s*URL:\s*(\S+)\s*$/) { $url = $1; }
|
2012-09-19 23:33:42 +02:00
|
|
|
|
elsif (/^\s*Compression:\s*(\S+)\s*$/) { $compressionType = $1; }
|
2004-12-13 14:47:38 +01:00
|
|
|
|
elsif (/^\s*Size:\s*(\d+)\s*$/) { $size = $1; }
|
|
|
|
|
elsif (/^\s*BasePath:\s*(\/\S+)\s*$/) { $basePath = $1; }
|
|
|
|
|
elsif (/^\s*BaseHash:\s*(\S+)\s*$/) { $baseHash = $1; }
|
|
|
|
|
elsif (/^\s*Type:\s*(\S+)\s*$/) { $patchType = $1; }
|
2004-12-20 17:38:50 +01:00
|
|
|
|
elsif (/^\s*NarHash:\s*(\S+)\s*$/) { $narHash = $1; }
|
2010-11-17 15:31:42 +01:00
|
|
|
|
elsif (/^\s*NarSize:\s*(\d+)\s*$/) { $narSize = $1; }
|
2005-01-25 18:08:52 +01:00
|
|
|
|
elsif (/^\s*References:\s*(.*)\s*$/) { $references = $1; }
|
2005-02-09 13:57:13 +01:00
|
|
|
|
elsif (/^\s*Deriver:\s*(\S+)\s*$/) { $deriver = $1; }
|
2005-02-25 17:12:52 +01:00
|
|
|
|
elsif (/^\s*ManifestVersion:\s*(\d+)\s*$/) { $manifestVersion = $1; }
|
2010-11-29 10:26:05 +01:00
|
|
|
|
elsif (/^\s*System:\s*(\S+)\s*$/) { $system = $1; }
|
2004-12-13 14:47:38 +01:00
|
|
|
|
|
|
|
|
|
# Compatibility;
|
|
|
|
|
elsif (/^\s*NarURL:\s*(\S+)\s*$/) { $url = $1; }
|
2005-03-14 16:09:53 +01:00
|
|
|
|
elsif (/^\s*MD5:\s*(\S+)\s*$/) { $hash = "md5:$1"; }
|
2004-12-20 17:38:50 +01:00
|
|
|
|
|
2003-12-05 12:25:38 +01:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
close MANIFEST;
|
2005-02-25 17:12:52 +01:00
|
|
|
|
|
|
|
|
|
return $manifestVersion;
|
2003-12-05 12:25:38 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2011-04-11 15:16:54 +02:00
|
|
|
|
sub readManifest {
|
|
|
|
|
my ($manifest, $narFiles, $patches) = @_;
|
|
|
|
|
readManifest_($manifest,
|
|
|
|
|
sub { addNAR($narFiles, @_); },
|
|
|
|
|
sub { addPatch($patches, @_); } );
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2009-04-16 11:27:33 +02:00
|
|
|
|
sub writeManifest {
|
2010-11-29 16:26:28 +01:00
|
|
|
|
my ($manifest, $narFiles, $patches, $noCompress) = @_;
|
2004-12-28 22:11:28 +01:00
|
|
|
|
|
2004-12-29 20:04:21 +01:00
|
|
|
|
open MANIFEST, ">$manifest.tmp"; # !!! check exclusive
|
2004-12-28 22:11:28 +01:00
|
|
|
|
|
2005-02-25 17:12:52 +01:00
|
|
|
|
print MANIFEST "version {\n";
|
|
|
|
|
print MANIFEST " ManifestVersion: 3\n";
|
|
|
|
|
print MANIFEST "}\n";
|
|
|
|
|
|
2006-02-24 17:02:36 +01:00
|
|
|
|
foreach my $storePath (sort (keys %{$narFiles})) {
|
2004-12-28 22:11:28 +01:00
|
|
|
|
my $narFileList = $$narFiles{$storePath};
|
|
|
|
|
foreach my $narFile (@{$narFileList}) {
|
|
|
|
|
print MANIFEST "{\n";
|
|
|
|
|
print MANIFEST " StorePath: $storePath\n";
|
|
|
|
|
print MANIFEST " NarURL: $narFile->{url}\n";
|
2012-09-19 23:33:42 +02:00
|
|
|
|
print MANIFEST " Compression: $narFile->{compressionType}\n";
|
2009-04-16 11:27:33 +02:00
|
|
|
|
print MANIFEST " Hash: $narFile->{hash}\n" if defined $narFile->{hash};
|
|
|
|
|
print MANIFEST " Size: $narFile->{size}\n" if defined $narFile->{size};
|
2010-11-17 13:57:52 +01:00
|
|
|
|
print MANIFEST " NarHash: $narFile->{narHash}\n";
|
|
|
|
|
print MANIFEST " NarSize: $narFile->{narSize}\n" if $narFile->{narSize};
|
2005-01-25 18:08:52 +01:00
|
|
|
|
print MANIFEST " References: $narFile->{references}\n"
|
|
|
|
|
if defined $narFile->{references} && $narFile->{references} ne "";
|
2005-02-09 13:57:13 +01:00
|
|
|
|
print MANIFEST " Deriver: $narFile->{deriver}\n"
|
|
|
|
|
if defined $narFile->{deriver} && $narFile->{deriver} ne "";
|
2010-11-29 10:26:05 +01:00
|
|
|
|
print MANIFEST " System: $narFile->{system}\n" if defined $narFile->{system};
|
2004-12-28 22:11:28 +01:00
|
|
|
|
print MANIFEST "}\n";
|
|
|
|
|
}
|
|
|
|
|
}
|
2012-09-13 17:35:46 +02:00
|
|
|
|
|
2006-02-24 17:02:36 +01:00
|
|
|
|
foreach my $storePath (sort (keys %{$patches})) {
|
2004-12-28 22:11:28 +01:00
|
|
|
|
my $patchList = $$patches{$storePath};
|
|
|
|
|
foreach my $patch (@{$patchList}) {
|
|
|
|
|
print MANIFEST "patch {\n";
|
|
|
|
|
print MANIFEST " StorePath: $storePath\n";
|
|
|
|
|
print MANIFEST " NarURL: $patch->{url}\n";
|
2005-03-14 16:09:53 +01:00
|
|
|
|
print MANIFEST " Hash: $patch->{hash}\n";
|
2004-12-28 22:11:28 +01:00
|
|
|
|
print MANIFEST " Size: $patch->{size}\n";
|
2010-11-17 15:31:42 +01:00
|
|
|
|
print MANIFEST " NarHash: $patch->{narHash}\n";
|
|
|
|
|
print MANIFEST " NarSize: $patch->{narSize}\n" if $patch->{narSize};
|
2004-12-28 22:11:28 +01:00
|
|
|
|
print MANIFEST " BasePath: $patch->{basePath}\n";
|
|
|
|
|
print MANIFEST " BaseHash: $patch->{baseHash}\n";
|
|
|
|
|
print MANIFEST " Type: $patch->{patchType}\n";
|
|
|
|
|
print MANIFEST "}\n";
|
|
|
|
|
}
|
|
|
|
|
}
|
2012-09-13 17:35:46 +02:00
|
|
|
|
|
|
|
|
|
|
2004-12-28 22:11:28 +01:00
|
|
|
|
close MANIFEST;
|
2004-12-29 20:04:21 +01:00
|
|
|
|
|
|
|
|
|
rename("$manifest.tmp", $manifest)
|
|
|
|
|
or die "cannot rename $manifest.tmp: $!";
|
2007-09-04 17:38:09 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Create a bzipped manifest.
|
2010-11-29 16:26:28 +01:00
|
|
|
|
unless (defined $noCompress) {
|
2012-09-13 17:35:46 +02:00
|
|
|
|
system("$Nix::Config::bzip2 < $manifest > $manifest.bz2.tmp") == 0
|
|
|
|
|
or die "cannot compress manifest";
|
2007-09-04 17:38:09 +02:00
|
|
|
|
|
2012-09-13 17:35:46 +02:00
|
|
|
|
rename("$manifest.bz2.tmp", "$manifest.bz2")
|
|
|
|
|
or die "cannot rename $manifest.bz2.tmp: $!";
|
2010-11-29 16:26:28 +01:00
|
|
|
|
}
|
2004-12-28 22:11:28 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2015-02-04 17:59:31 +01:00
|
|
|
|
# Return a fingerprint of a store path to be used in binary cache
|
2015-06-03 15:33:17 +02:00
|
|
|
|
# signatures. It contains the store path, the base-32 SHA-256 hash of
|
|
|
|
|
# the contents of the path, and the references.
|
2015-02-04 17:59:31 +01:00
|
|
|
|
sub fingerprintPath {
|
2015-02-17 13:16:58 +01:00
|
|
|
|
my ($storePath, $narHash, $narSize, $references) = @_;
|
2015-02-04 17:59:31 +01:00
|
|
|
|
die if substr($storePath, 0, length($Nix::Config::storeDir)) ne $Nix::Config::storeDir;
|
|
|
|
|
die if substr($narHash, 0, 7) ne "sha256:";
|
2015-06-03 15:33:17 +02:00
|
|
|
|
# Convert hash from base-16 to base-32, if necessary.
|
|
|
|
|
$narHash = "sha256:" . convertHash("sha256", substr($narHash, 7), 1)
|
|
|
|
|
if length($narHash) == 71;
|
2015-02-04 17:59:31 +01:00
|
|
|
|
die if length($narHash) != 59;
|
|
|
|
|
foreach my $ref (@{$references}) {
|
|
|
|
|
die if substr($ref, 0, length($Nix::Config::storeDir)) ne $Nix::Config::storeDir;
|
|
|
|
|
}
|
2015-02-17 13:16:58 +01:00
|
|
|
|
return "1;" . $storePath . ";" . $narHash . ";" . $narSize . ";" . join(",", @{$references});
|
2015-02-04 17:59:31 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2012-10-17 22:45:04 +02:00
|
|
|
|
# Parse a NAR info file.
|
|
|
|
|
sub parseNARInfo {
|
Support cryptographically signed binary caches
NAR info files in binary caches can now have a cryptographic signature
that Nix will verify before using the corresponding NAR file.
To create a private/public key pair for signing and verifying a binary
cache, do:
$ openssl genrsa -out ./cache-key.sec 2048
$ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub
You should also come up with a symbolic name for the key, such as
"cache.example.org-1". This will be used by clients to look up the
public key. (It's a good idea to number keys, in case you ever need
to revoke/replace one.)
To create a binary cache signed with the private key:
$ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1
The public key (cache-key.pub) should be distributed to the clients.
They should have a nix.conf should contain something like:
signed-binary-caches = *
binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub
If all works well, then if Nix fetches something from the signed
binary cache, you will see a message like:
*** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’...
On the other hand, if the signature is wrong, you get a message like
NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring
Signatures are implemented as a single line appended to the NAR info
file, which looks like this:
Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ==
Thus the signature has 3 fields: a version (currently "1"), the ID of
key, and the base64-encoded signature of the SHA-256 hash of the
contents of the NAR info file up to but not including the Signature
line.
Issue #75.
2014-01-08 15:23:41 +01:00
|
|
|
|
my ($storePath, $content, $requireValidSig, $location) = @_;
|
2012-10-17 22:45:04 +02:00
|
|
|
|
|
Support cryptographically signed binary caches
NAR info files in binary caches can now have a cryptographic signature
that Nix will verify before using the corresponding NAR file.
To create a private/public key pair for signing and verifying a binary
cache, do:
$ openssl genrsa -out ./cache-key.sec 2048
$ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub
You should also come up with a symbolic name for the key, such as
"cache.example.org-1". This will be used by clients to look up the
public key. (It's a good idea to number keys, in case you ever need
to revoke/replace one.)
To create a binary cache signed with the private key:
$ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1
The public key (cache-key.pub) should be distributed to the clients.
They should have a nix.conf should contain something like:
signed-binary-caches = *
binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub
If all works well, then if Nix fetches something from the signed
binary cache, you will see a message like:
*** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’...
On the other hand, if the signature is wrong, you get a message like
NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring
Signatures are implemented as a single line appended to the NAR info
file, which looks like this:
Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ==
Thus the signature has 3 fields: a version (currently "1"), the ID of
key, and the base64-encoded signature of the SHA-256 hash of the
contents of the NAR info file up to but not including the Signature
line.
Issue #75.
2014-01-08 15:23:41 +01:00
|
|
|
|
my ($storePath2, $url, $fileHash, $fileSize, $narHash, $narSize, $deriver, $system, $sig);
|
2012-10-17 22:45:04 +02:00
|
|
|
|
my $compression = "bzip2";
|
|
|
|
|
my @refs;
|
|
|
|
|
|
|
|
|
|
foreach my $line (split "\n", $content) {
|
|
|
|
|
return undef unless $line =~ /^(.*): (.*)$/;
|
|
|
|
|
if ($1 eq "StorePath") { $storePath2 = $2; }
|
|
|
|
|
elsif ($1 eq "URL") { $url = $2; }
|
|
|
|
|
elsif ($1 eq "Compression") { $compression = $2; }
|
|
|
|
|
elsif ($1 eq "FileHash") { $fileHash = $2; }
|
|
|
|
|
elsif ($1 eq "FileSize") { $fileSize = int($2); }
|
|
|
|
|
elsif ($1 eq "NarHash") { $narHash = $2; }
|
|
|
|
|
elsif ($1 eq "NarSize") { $narSize = int($2); }
|
|
|
|
|
elsif ($1 eq "References") { @refs = split / /, $2; }
|
|
|
|
|
elsif ($1 eq "Deriver") { $deriver = $2; }
|
|
|
|
|
elsif ($1 eq "System") { $system = $2; }
|
2015-02-04 17:59:31 +01:00
|
|
|
|
elsif ($1 eq "Sig") { $sig = $2; }
|
2012-10-17 22:45:04 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return undef if $storePath ne $storePath2 || !defined $url || !defined $narHash;
|
|
|
|
|
|
Support cryptographically signed binary caches
NAR info files in binary caches can now have a cryptographic signature
that Nix will verify before using the corresponding NAR file.
To create a private/public key pair for signing and verifying a binary
cache, do:
$ openssl genrsa -out ./cache-key.sec 2048
$ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub
You should also come up with a symbolic name for the key, such as
"cache.example.org-1". This will be used by clients to look up the
public key. (It's a good idea to number keys, in case you ever need
to revoke/replace one.)
To create a binary cache signed with the private key:
$ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1
The public key (cache-key.pub) should be distributed to the clients.
They should have a nix.conf should contain something like:
signed-binary-caches = *
binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub
If all works well, then if Nix fetches something from the signed
binary cache, you will see a message like:
*** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’...
On the other hand, if the signature is wrong, you get a message like
NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring
Signatures are implemented as a single line appended to the NAR info
file, which looks like this:
Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ==
Thus the signature has 3 fields: a version (currently "1"), the ID of
key, and the base64-encoded signature of the SHA-256 hash of the
contents of the NAR info file up to but not including the Signature
line.
Issue #75.
2014-01-08 15:23:41 +01:00
|
|
|
|
my $res =
|
2012-10-17 22:45:04 +02:00
|
|
|
|
{ url => $url
|
|
|
|
|
, compression => $compression
|
|
|
|
|
, fileHash => $fileHash
|
|
|
|
|
, fileSize => $fileSize
|
|
|
|
|
, narHash => $narHash
|
|
|
|
|
, narSize => $narSize
|
|
|
|
|
, refs => [ @refs ]
|
|
|
|
|
, deriver => $deriver
|
|
|
|
|
, system => $system
|
|
|
|
|
};
|
Support cryptographically signed binary caches
NAR info files in binary caches can now have a cryptographic signature
that Nix will verify before using the corresponding NAR file.
To create a private/public key pair for signing and verifying a binary
cache, do:
$ openssl genrsa -out ./cache-key.sec 2048
$ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub
You should also come up with a symbolic name for the key, such as
"cache.example.org-1". This will be used by clients to look up the
public key. (It's a good idea to number keys, in case you ever need
to revoke/replace one.)
To create a binary cache signed with the private key:
$ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1
The public key (cache-key.pub) should be distributed to the clients.
They should have a nix.conf should contain something like:
signed-binary-caches = *
binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub
If all works well, then if Nix fetches something from the signed
binary cache, you will see a message like:
*** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’...
On the other hand, if the signature is wrong, you get a message like
NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring
Signatures are implemented as a single line appended to the NAR info
file, which looks like this:
Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ==
Thus the signature has 3 fields: a version (currently "1"), the ID of
key, and the base64-encoded signature of the SHA-256 hash of the
contents of the NAR info file up to but not including the Signature
line.
Issue #75.
2014-01-08 15:23:41 +01:00
|
|
|
|
|
|
|
|
|
if ($requireValidSig) {
|
2015-02-04 17:59:31 +01:00
|
|
|
|
# FIXME: might be useful to support multiple signatures per .narinfo.
|
|
|
|
|
|
Support cryptographically signed binary caches
NAR info files in binary caches can now have a cryptographic signature
that Nix will verify before using the corresponding NAR file.
To create a private/public key pair for signing and verifying a binary
cache, do:
$ openssl genrsa -out ./cache-key.sec 2048
$ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub
You should also come up with a symbolic name for the key, such as
"cache.example.org-1". This will be used by clients to look up the
public key. (It's a good idea to number keys, in case you ever need
to revoke/replace one.)
To create a binary cache signed with the private key:
$ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1
The public key (cache-key.pub) should be distributed to the clients.
They should have a nix.conf should contain something like:
signed-binary-caches = *
binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub
If all works well, then if Nix fetches something from the signed
binary cache, you will see a message like:
*** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’...
On the other hand, if the signature is wrong, you get a message like
NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring
Signatures are implemented as a single line appended to the NAR info
file, which looks like this:
Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ==
Thus the signature has 3 fields: a version (currently "1"), the ID of
key, and the base64-encoded signature of the SHA-256 hash of the
contents of the NAR info file up to but not including the Signature
line.
Issue #75.
2014-01-08 15:23:41 +01:00
|
|
|
|
if (!defined $sig) {
|
2016-11-26 00:37:43 +01:00
|
|
|
|
warn "NAR info file ‘$location’ lacks a signature; ignoring\n";
|
Support cryptographically signed binary caches
NAR info files in binary caches can now have a cryptographic signature
that Nix will verify before using the corresponding NAR file.
To create a private/public key pair for signing and verifying a binary
cache, do:
$ openssl genrsa -out ./cache-key.sec 2048
$ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub
You should also come up with a symbolic name for the key, such as
"cache.example.org-1". This will be used by clients to look up the
public key. (It's a good idea to number keys, in case you ever need
to revoke/replace one.)
To create a binary cache signed with the private key:
$ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1
The public key (cache-key.pub) should be distributed to the clients.
They should have a nix.conf should contain something like:
signed-binary-caches = *
binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub
If all works well, then if Nix fetches something from the signed
binary cache, you will see a message like:
*** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’...
On the other hand, if the signature is wrong, you get a message like
NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring
Signatures are implemented as a single line appended to the NAR info
file, which looks like this:
Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ==
Thus the signature has 3 fields: a version (currently "1"), the ID of
key, and the base64-encoded signature of the SHA-256 hash of the
contents of the NAR info file up to but not including the Signature
line.
Issue #75.
2014-01-08 15:23:41 +01:00
|
|
|
|
return undef;
|
|
|
|
|
}
|
2015-02-04 17:59:31 +01:00
|
|
|
|
my ($keyName, $sig64) = split ":", $sig;
|
Support cryptographically signed binary caches
NAR info files in binary caches can now have a cryptographic signature
that Nix will verify before using the corresponding NAR file.
To create a private/public key pair for signing and verifying a binary
cache, do:
$ openssl genrsa -out ./cache-key.sec 2048
$ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub
You should also come up with a symbolic name for the key, such as
"cache.example.org-1". This will be used by clients to look up the
public key. (It's a good idea to number keys, in case you ever need
to revoke/replace one.)
To create a binary cache signed with the private key:
$ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1
The public key (cache-key.pub) should be distributed to the clients.
They should have a nix.conf should contain something like:
signed-binary-caches = *
binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub
If all works well, then if Nix fetches something from the signed
binary cache, you will see a message like:
*** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’...
On the other hand, if the signature is wrong, you get a message like
NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring
Signatures are implemented as a single line appended to the NAR info
file, which looks like this:
Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ==
Thus the signature has 3 fields: a version (currently "1"), the ID of
key, and the base64-encoded signature of the SHA-256 hash of the
contents of the NAR info file up to but not including the Signature
line.
Issue #75.
2014-01-08 15:23:41 +01:00
|
|
|
|
return undef unless defined $keyName && defined $sig64;
|
2015-02-04 16:43:32 +01:00
|
|
|
|
|
|
|
|
|
my $publicKey = $Nix::Config::binaryCachePublicKeys{$keyName};
|
|
|
|
|
if (!defined $publicKey) {
|
2016-11-26 00:37:43 +01:00
|
|
|
|
warn "NAR info file ‘$location’ is signed by unknown key ‘$keyName’; ignoring\n";
|
Support cryptographically signed binary caches
NAR info files in binary caches can now have a cryptographic signature
that Nix will verify before using the corresponding NAR file.
To create a private/public key pair for signing and verifying a binary
cache, do:
$ openssl genrsa -out ./cache-key.sec 2048
$ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub
You should also come up with a symbolic name for the key, such as
"cache.example.org-1". This will be used by clients to look up the
public key. (It's a good idea to number keys, in case you ever need
to revoke/replace one.)
To create a binary cache signed with the private key:
$ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1
The public key (cache-key.pub) should be distributed to the clients.
They should have a nix.conf should contain something like:
signed-binary-caches = *
binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub
If all works well, then if Nix fetches something from the signed
binary cache, you will see a message like:
*** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’...
On the other hand, if the signature is wrong, you get a message like
NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring
Signatures are implemented as a single line appended to the NAR info
file, which looks like this:
Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ==
Thus the signature has 3 fields: a version (currently "1"), the ID of
key, and the base64-encoded signature of the SHA-256 hash of the
contents of the NAR info file up to but not including the Signature
line.
Issue #75.
2014-01-08 15:23:41 +01:00
|
|
|
|
return undef;
|
|
|
|
|
}
|
2015-02-04 16:43:32 +01:00
|
|
|
|
|
2015-06-03 15:19:32 +02:00
|
|
|
|
my $fingerprint;
|
|
|
|
|
eval {
|
|
|
|
|
$fingerprint = fingerprintPath(
|
|
|
|
|
$storePath, $narHash, $narSize,
|
|
|
|
|
[ map { "$Nix::Config::storeDir/$_" } @refs ]);
|
|
|
|
|
};
|
|
|
|
|
if ($@) {
|
2016-11-26 00:37:43 +01:00
|
|
|
|
warn "cannot compute fingerprint of ‘$location’; ignoring\n";
|
2015-06-03 15:19:32 +02:00
|
|
|
|
return undef;
|
|
|
|
|
}
|
2015-02-04 17:59:31 +01:00
|
|
|
|
|
|
|
|
|
if (!checkSignature($publicKey, decode_base64($sig64), $fingerprint)) {
|
2016-11-26 00:37:43 +01:00
|
|
|
|
warn "NAR info file ‘$location’ has an incorrect signature; ignoring\n";
|
Support cryptographically signed binary caches
NAR info files in binary caches can now have a cryptographic signature
that Nix will verify before using the corresponding NAR file.
To create a private/public key pair for signing and verifying a binary
cache, do:
$ openssl genrsa -out ./cache-key.sec 2048
$ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub
You should also come up with a symbolic name for the key, such as
"cache.example.org-1". This will be used by clients to look up the
public key. (It's a good idea to number keys, in case you ever need
to revoke/replace one.)
To create a binary cache signed with the private key:
$ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1
The public key (cache-key.pub) should be distributed to the clients.
They should have a nix.conf should contain something like:
signed-binary-caches = *
binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub
If all works well, then if Nix fetches something from the signed
binary cache, you will see a message like:
*** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’...
On the other hand, if the signature is wrong, you get a message like
NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring
Signatures are implemented as a single line appended to the NAR info
file, which looks like this:
Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ==
Thus the signature has 3 fields: a version (currently "1"), the ID of
key, and the base64-encoded signature of the SHA-256 hash of the
contents of the NAR info file up to but not including the Signature
line.
Issue #75.
2014-01-08 15:23:41 +01:00
|
|
|
|
return undef;
|
|
|
|
|
}
|
2015-02-04 17:59:31 +01:00
|
|
|
|
|
Support cryptographically signed binary caches
NAR info files in binary caches can now have a cryptographic signature
that Nix will verify before using the corresponding NAR file.
To create a private/public key pair for signing and verifying a binary
cache, do:
$ openssl genrsa -out ./cache-key.sec 2048
$ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub
You should also come up with a symbolic name for the key, such as
"cache.example.org-1". This will be used by clients to look up the
public key. (It's a good idea to number keys, in case you ever need
to revoke/replace one.)
To create a binary cache signed with the private key:
$ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1
The public key (cache-key.pub) should be distributed to the clients.
They should have a nix.conf should contain something like:
signed-binary-caches = *
binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub
If all works well, then if Nix fetches something from the signed
binary cache, you will see a message like:
*** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’...
On the other hand, if the signature is wrong, you get a message like
NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring
Signatures are implemented as a single line appended to the NAR info
file, which looks like this:
Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ==
Thus the signature has 3 fields: a version (currently "1"), the ID of
key, and the base64-encoded signature of the SHA-256 hash of the
contents of the NAR info file up to but not including the Signature
line.
Issue #75.
2014-01-08 15:23:41 +01:00
|
|
|
|
$res->{signedBy} = $keyName;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return $res;
|
2012-10-17 22:45:04 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2003-12-05 12:25:38 +01:00
|
|
|
|
return 1;
|