mdebray/tvl-depot
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tvl-depot/third_party/nix/src/libstore/crypto.cc

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

139 lines
3.4 KiB
C++
Raw Normal View History

refactor(3p/nix): Anchor local includes at src/ Previously all includes were anchored in one global mess of header files. This moves the includes into filesystem "namespaces" (if you will) for each sub-package of Nix. Note: This commit does not introduce the relevant build system changes.
2020-05-27 22:56:34 +02:00
#include "libstore/crypto.hh"
style(3p/nix): Reformat all includes to match new style
2020-05-19 16:54:39 +02:00
refactor(3p/nix): Remove custom base64 implementation Replace the custom, rather questionable base64 implementation with absl::Base64{Une,E}scape. To make sure that the custom implementation was doing the same thing I've also added a test covering nix::Hash::to_string, which was one function that used it - the test passed prior to the replacement, and continued to pass afterwards. The previous base64Decode function threw an exception on failure - to avoid going too far down the rabbit hole I've replicated that functionality at all call sites, but this should be replaced with more sensible error handling such as StatusOr eventually. Also, before this change: ❯ nix eval -f . users.tazjin.emacs.outPath "/nix/store/g6ri2q8nra96ix20bcsc734r1yyaylb1-tazjins-emacs" And after: ❯ ./result/bin/nix eval -f . users.tazjin.emacs.outPath "/nix/store/g6ri2q8nra96ix20bcsc734r1yyaylb1-tazjins-emacs" Change-Id: Id292ffbb82fe808f3f1b34670afbe7b8c13ad615 Reviewed-on: https://cl.tvl.fyi/c/depot/+/1385 Reviewed-by: tazjin <mail@tazj.in> Tested-by: BuildkiteCI
2020-07-23 23:18:00 +02:00
#include <absl/strings/escaping.h>
refactor(3p/nix): Anchor local includes at src/ Previously all includes were anchored in one global mess of header files. This moves the includes into filesystem "namespaces" (if you will) for each sub-package of Nix. Note: This commit does not introduce the relevant build system changes.
2020-05-27 22:56:34 +02:00
#include "libstore/globals.hh"
#include "libutil/util.hh"
Add C++ functions for .narinfo processing / signing This is currently only used by the Hydra queue runner rework, but like eff5021eaa6dc69f65ea1a8abe8f3ab11ef5eb0a it presumably will be useful for the C++ rewrite of nix-push and download-from-binary-cache. (@shlevy)
2016-02-16 16:38:44 +01:00
#if HAVE_SODIUM
#include <sodium.h>
#endif
namespace nix {
fix(3p/nix): fix usage error of absl::Base64Unescape The source and destination strings cannot be the same string - absl will write to the destination in a streaming manner, causing the source to become invalid. Change-Id: I3578cf1f8789a51d85e0950f7987c398f0a00953 Reviewed-on: https://cl.tvl.fyi/c/depot/+/1659 Tested-by: BuildkiteCI Reviewed-by: glittershark <grfn@gws.fyi>
2020-08-05 12:03:06 +02:00
// TODO(riking): convert to string_view to reduce allocations
style(3p/nix): Remove 'using std::*' from types.hh It is considered bad form to use things from includes in headers, as these directives propagate to everywhere else and can make it confusing. types.hh (which is includes almost literally everywhere) had some of these directives, which this commit removes.
2020-05-24 23:29:21 +02:00
static std::pair<std::string, std::string> split(const std::string& s) {
Add C++ functions for .narinfo processing / signing This is currently only used by the Hydra queue runner rework, but like eff5021eaa6dc69f65ea1a8abe8f3ab11ef5eb0a it presumably will be useful for the C++ rewrite of nix-push and download-from-binary-cache. (@shlevy)
2016-02-16 16:38:44 +01:00
size_t colon = s.find(':');
if (colon == std::string::npos || colon == 0) {
return {"", ""};
style(3p/nix): Add braces around single-line conditionals These were not caught by the previous clang-tidy invocation, but were instead sorted out using amber[0] as such: ambr --regex 'if (\(.+\))\s([a-z].*;)' 'if $1 { $2 }' [0]: https://github.com/dalance/amber
2020-05-19 19:55:58 +02:00
}
Add C++ functions for .narinfo processing / signing This is currently only used by the Hydra queue runner rework, but like eff5021eaa6dc69f65ea1a8abe8f3ab11ef5eb0a it presumably will be useful for the C++ rewrite of nix-push and download-from-binary-cache. (@shlevy)
2016-02-16 16:38:44 +01:00
return {std::string(s, 0, colon), std::string(s, colon + 1)};
}
style(3p/nix): Remove 'using std::*' from types.hh It is considered bad form to use things from includes in headers, as these directives propagate to everywhere else and can make it confusing. types.hh (which is includes almost literally everywhere) had some of these directives, which this commit removes.
2020-05-24 23:29:21 +02:00
Key::Key(const std::string& s) {
Add C++ functions for .narinfo processing / signing This is currently only used by the Hydra queue runner rework, but like eff5021eaa6dc69f65ea1a8abe8f3ab11ef5eb0a it presumably will be useful for the C++ rewrite of nix-push and download-from-binary-cache. (@shlevy)
2016-02-16 16:38:44 +01:00
auto ss = split(s);
name = ss.first;
fix(3p/nix): fix usage error of absl::Base64Unescape The source and destination strings cannot be the same string - absl will write to the destination in a streaming manner, causing the source to become invalid. Change-Id: I3578cf1f8789a51d85e0950f7987c398f0a00953 Reviewed-on: https://cl.tvl.fyi/c/depot/+/1659 Tested-by: BuildkiteCI Reviewed-by: glittershark <grfn@gws.fyi>
2020-08-05 12:03:06 +02:00
std::string keyb64 = ss.second;
Add C++ functions for .narinfo processing / signing This is currently only used by the Hydra queue runner rework, but like eff5021eaa6dc69f65ea1a8abe8f3ab11ef5eb0a it presumably will be useful for the C++ rewrite of nix-push and download-from-binary-cache. (@shlevy)
2016-02-16 16:38:44 +01:00
fix(3p/nix): fix usage error of absl::Base64Unescape The source and destination strings cannot be the same string - absl will write to the destination in a streaming manner, causing the source to become invalid. Change-Id: I3578cf1f8789a51d85e0950f7987c398f0a00953 Reviewed-on: https://cl.tvl.fyi/c/depot/+/1659 Tested-by: BuildkiteCI Reviewed-by: glittershark <grfn@gws.fyi>
2020-08-05 12:03:06 +02:00
if (name.empty() || keyb64.empty()) {
Add C++ functions for .narinfo processing / signing This is currently only used by the Hydra queue runner rework, but like eff5021eaa6dc69f65ea1a8abe8f3ab11ef5eb0a it presumably will be useful for the C++ rewrite of nix-push and download-from-binary-cache. (@shlevy)
2016-02-16 16:38:44 +01:00
throw Error("secret key is corrupt");
style(3p/nix): Add braces around single-line conditionals These were not caught by the previous clang-tidy invocation, but were instead sorted out using amber[0] as such: ambr --regex 'if (\(.+\))\s([a-z].*;)' 'if $1 { $2 }' [0]: https://github.com/dalance/amber
2020-05-19 19:55:58 +02:00
}
Add C++ functions for .narinfo processing / signing This is currently only used by the Hydra queue runner rework, but like eff5021eaa6dc69f65ea1a8abe8f3ab11ef5eb0a it presumably will be useful for the C++ rewrite of nix-push and download-from-binary-cache. (@shlevy)
2016-02-16 16:38:44 +01:00
fix(3p/nix): fix usage error of absl::Base64Unescape The source and destination strings cannot be the same string - absl will write to the destination in a streaming manner, causing the source to become invalid. Change-Id: I3578cf1f8789a51d85e0950f7987c398f0a00953 Reviewed-on: https://cl.tvl.fyi/c/depot/+/1659 Tested-by: BuildkiteCI Reviewed-by: glittershark <grfn@gws.fyi>
2020-08-05 12:03:06 +02:00
if (!absl::Base64Unescape(keyb64, &key)) {
refactor(3p/nix): Remove custom base64 implementation Replace the custom, rather questionable base64 implementation with absl::Base64{Une,E}scape. To make sure that the custom implementation was doing the same thing I've also added a test covering nix::Hash::to_string, which was one function that used it - the test passed prior to the replacement, and continued to pass afterwards. The previous base64Decode function threw an exception on failure - to avoid going too far down the rabbit hole I've replicated that functionality at all call sites, but this should be replaced with more sensible error handling such as StatusOr eventually. Also, before this change: ❯ nix eval -f . users.tazjin.emacs.outPath "/nix/store/g6ri2q8nra96ix20bcsc734r1yyaylb1-tazjins-emacs" And after: ❯ ./result/bin/nix eval -f . users.tazjin.emacs.outPath "/nix/store/g6ri2q8nra96ix20bcsc734r1yyaylb1-tazjins-emacs" Change-Id: Id292ffbb82fe808f3f1b34670afbe7b8c13ad615 Reviewed-on: https://cl.tvl.fyi/c/depot/+/1385 Reviewed-by: tazjin <mail@tazj.in> Tested-by: BuildkiteCI
2020-07-23 23:18:00 +02:00
// TODO(grfn): replace this with StatusOr
throw Error("Invalid Base64");
}
Add C++ functions for .narinfo processing / signing This is currently only used by the Hydra queue runner rework, but like eff5021eaa6dc69f65ea1a8abe8f3ab11ef5eb0a it presumably will be useful for the C++ rewrite of nix-push and download-from-binary-cache. (@shlevy)
2016-02-16 16:38:44 +01:00
}
style(3p/nix): Remove 'using std::*' from types.hh It is considered bad form to use things from includes in headers, as these directives propagate to everywhere else and can make it confusing. types.hh (which is includes almost literally everywhere) had some of these directives, which this commit removes.
2020-05-24 23:29:21 +02:00
SecretKey::SecretKey(const std::string& s) : Key(s) {
Add C++ functions for .narinfo processing / signing This is currently only used by the Hydra queue runner rework, but like eff5021eaa6dc69f65ea1a8abe8f3ab11ef5eb0a it presumably will be useful for the C++ rewrite of nix-push and download-from-binary-cache. (@shlevy)
2016-02-16 16:38:44 +01:00
#if HAVE_SODIUM
if (key.size() != crypto_sign_SECRETKEYBYTES) {
throw Error("secret key is not valid");
style(3p/nix): Final act in the brace-wrapping saga This last change set was generated by a full clang-tidy run (including compilation): clang-tidy -p ~/projects/nix-build/ \ -checks=-*,readability-braces-around-statements -fix src/*/*.cc Actually running clang-tidy requires some massaging to make it play nice with Nix + meson, I'll be adding a wrapper or something for that soon.
2020-05-19 21:47:23 +02:00
}
Add C++ functions for .narinfo processing / signing This is currently only used by the Hydra queue runner rework, but like eff5021eaa6dc69f65ea1a8abe8f3ab11ef5eb0a it presumably will be useful for the C++ rewrite of nix-push and download-from-binary-cache. (@shlevy)
2016-02-16 16:38:44 +01:00
#endif
}
Fix Darwin build http://hydra.nixos.org/build/33279996
2016-03-15 12:11:27 +01:00
#if !HAVE_SODIUM
Fix build without sodium http://hydra.nixos.org/build/32085949
2016-02-17 12:41:41 +01:00
[[noreturn]] static void noSodium() {
throw Error(
"Nix was not compiled with libsodium, required for signed binary cache "
"support");
}
Fix Darwin build http://hydra.nixos.org/build/33279996
2016-03-15 12:11:27 +01:00
#endif
Fix build without sodium http://hydra.nixos.org/build/32085949
2016-02-17 12:41:41 +01:00
Add C++ functions for .narinfo processing / signing This is currently only used by the Hydra queue runner rework, but like eff5021eaa6dc69f65ea1a8abe8f3ab11ef5eb0a it presumably will be useful for the C++ rewrite of nix-push and download-from-binary-cache. (@shlevy)
2016-02-16 16:38:44 +01:00
std::string SecretKey::signDetached(const std::string& data) const {
#if HAVE_SODIUM
unsigned char sig[crypto_sign_BYTES];
fix(3p/nix): revert "apply all clang-tidy fixes" This reverts commit ef54f5da9fa30b5c302f2a49595ee5d041f9706a. Resolved conflicts: third_party/nix/src/libexpr/eval.cc third_party/nix/src/libstore/builtins/fetchurl.cc third_party/nix/src/libstore/references.cc third_party/nix/src/libutil/hash.cc third_party/nix/src/nix-daemon/nix-daemon.cc Change-Id: Ib9cf6e96a79a23bde3983579ced3f92e530cb011 Reviewed-on: https://cl.tvl.fyi/c/depot/+/1547 Reviewed-by: glittershark <grfn@gws.fyi> Tested-by: BuildkiteCI
2020-08-02 00:32:00 +02:00
unsigned long long sigLen;
Add C++ functions for .narinfo processing / signing This is currently only used by the Hydra queue runner rework, but like eff5021eaa6dc69f65ea1a8abe8f3ab11ef5eb0a it presumably will be useful for the C++ rewrite of nix-push and download-from-binary-cache. (@shlevy)
2016-02-16 16:38:44 +01:00
crypto_sign_detached(sig, &sigLen, (unsigned char*)data.data(), data.size(),
(unsigned char*)key.data());
chore(3p/nix): apply google-readability-casting Command run: jq <compile_commands.json -r 'map(.file)|.[]' | grep -v '/generated/' | parallel clang-tidy -p compile_commands.json -checks=-*,google-readability-casting --fix Manual fixes applied in src/nix-env/nix-env.cc, src/libstore/store-api.cc Change-Id: I406b4be9368c557ca59329bf6f7002704e955f8d Reviewed-on: https://cl.tvl.fyi/c/depot/+/1557 Tested-by: BuildkiteCI Reviewed-by: glittershark <grfn@gws.fyi> Reviewed-by: tazjin <mail@tazj.in>
2020-08-02 02:17:44 +02:00
return name + ":" +
absl::Base64Escape(std::string(reinterpret_cast<char*>(sig), sigLen));
Add C++ functions for .narinfo processing / signing This is currently only used by the Hydra queue runner rework, but like eff5021eaa6dc69f65ea1a8abe8f3ab11ef5eb0a it presumably will be useful for the C++ rewrite of nix-push and download-from-binary-cache. (@shlevy)
2016-02-16 16:38:44 +01:00
#else
Fix build without sodium http://hydra.nixos.org/build/32085949
2016-02-17 12:41:41 +01:00
noSodium();
Add C++ functions for .narinfo processing / signing This is currently only used by the Hydra queue runner rework, but like eff5021eaa6dc69f65ea1a8abe8f3ab11ef5eb0a it presumably will be useful for the C++ rewrite of nix-push and download-from-binary-cache. (@shlevy)
2016-02-16 16:38:44 +01:00
#endif
}
BinaryCacheStore: Remove publicKeyFile argument The public key can be derived from the secret key, so there's no need for the user to supply it separately.
2016-03-04 17:08:30 +01:00
PublicKey SecretKey::toPublicKey() const {
#if HAVE_SODIUM
unsigned char pk[crypto_sign_PUBLICKEYBYTES];
crypto_sign_ed25519_sk_to_pk(pk, (unsigned char*)key.data());
chore(3p/nix): apply google-readability-casting Command run: jq <compile_commands.json -r 'map(.file)|.[]' | grep -v '/generated/' | parallel clang-tidy -p compile_commands.json -checks=-*,google-readability-casting --fix Manual fixes applied in src/nix-env/nix-env.cc, src/libstore/store-api.cc Change-Id: I406b4be9368c557ca59329bf6f7002704e955f8d Reviewed-on: https://cl.tvl.fyi/c/depot/+/1557 Tested-by: BuildkiteCI Reviewed-by: glittershark <grfn@gws.fyi> Reviewed-by: tazjin <mail@tazj.in>
2020-08-02 02:17:44 +02:00
return PublicKey(name, std::string(reinterpret_cast<char*>(pk),
crypto_sign_PUBLICKEYBYTES));
BinaryCacheStore: Remove publicKeyFile argument The public key can be derived from the secret key, so there's no need for the user to supply it separately.
2016-03-04 17:08:30 +01:00
#else
noSodium();
#endif
}
style(3p/nix): Remove 'using std::*' from types.hh It is considered bad form to use things from includes in headers, as these directives propagate to everywhere else and can make it confusing. types.hh (which is includes almost literally everywhere) had some of these directives, which this commit removes.
2020-05-24 23:29:21 +02:00
PublicKey::PublicKey(const std::string& s) : Key(s) {
Add C++ functions for .narinfo processing / signing This is currently only used by the Hydra queue runner rework, but like eff5021eaa6dc69f65ea1a8abe8f3ab11ef5eb0a it presumably will be useful for the C++ rewrite of nix-push and download-from-binary-cache. (@shlevy)
2016-02-16 16:38:44 +01:00
#if HAVE_SODIUM
if (key.size() != crypto_sign_PUBLICKEYBYTES) {
throw Error("public key is not valid");
style(3p/nix): Final act in the brace-wrapping saga This last change set was generated by a full clang-tidy run (including compilation): clang-tidy -p ~/projects/nix-build/ \ -checks=-*,readability-braces-around-statements -fix src/*/*.cc Actually running clang-tidy requires some massaging to make it play nice with Nix + meson, I'll be adding a wrapper or something for that soon.
2020-05-19 21:47:23 +02:00
}
Add C++ functions for .narinfo processing / signing This is currently only used by the Hydra queue runner rework, but like eff5021eaa6dc69f65ea1a8abe8f3ab11ef5eb0a it presumably will be useful for the C++ rewrite of nix-push and download-from-binary-cache. (@shlevy)
2016-02-16 16:38:44 +01:00
#endif
}
bool verifyDetached(const std::string& data, const std::string& sig,
const PublicKeys& publicKeys) {
Fix build without sodium http://hydra.nixos.org/build/32085949
2016-02-17 12:41:41 +01:00
#if HAVE_SODIUM
Add C++ functions for .narinfo processing / signing This is currently only used by the Hydra queue runner rework, but like eff5021eaa6dc69f65ea1a8abe8f3ab11ef5eb0a it presumably will be useful for the C++ rewrite of nix-push and download-from-binary-cache. (@shlevy)
2016-02-16 16:38:44 +01:00
auto ss = split(sig);
auto key = publicKeys.find(ss.first);
if (key == publicKeys.end()) {
return false;
style(3p/nix): Add braces around single-line conditionals These were not caught by the previous clang-tidy invocation, but were instead sorted out using amber[0] as such: ambr --regex 'if (\(.+\))\s([a-z].*;)' 'if $1 { $2 }' [0]: https://github.com/dalance/amber
2020-05-19 19:55:58 +02:00
}
Add C++ functions for .narinfo processing / signing This is currently only used by the Hydra queue runner rework, but like eff5021eaa6dc69f65ea1a8abe8f3ab11ef5eb0a it presumably will be useful for the C++ rewrite of nix-push and download-from-binary-cache. (@shlevy)
2016-02-16 16:38:44 +01:00
refactor(3p/nix): Remove custom base64 implementation Replace the custom, rather questionable base64 implementation with absl::Base64{Une,E}scape. To make sure that the custom implementation was doing the same thing I've also added a test covering nix::Hash::to_string, which was one function that used it - the test passed prior to the replacement, and continued to pass afterwards. The previous base64Decode function threw an exception on failure - to avoid going too far down the rabbit hole I've replicated that functionality at all call sites, but this should be replaced with more sensible error handling such as StatusOr eventually. Also, before this change: ❯ nix eval -f . users.tazjin.emacs.outPath "/nix/store/g6ri2q8nra96ix20bcsc734r1yyaylb1-tazjins-emacs" And after: ❯ ./result/bin/nix eval -f . users.tazjin.emacs.outPath "/nix/store/g6ri2q8nra96ix20bcsc734r1yyaylb1-tazjins-emacs" Change-Id: Id292ffbb82fe808f3f1b34670afbe7b8c13ad615 Reviewed-on: https://cl.tvl.fyi/c/depot/+/1385 Reviewed-by: tazjin <mail@tazj.in> Tested-by: BuildkiteCI
2020-07-23 23:18:00 +02:00
std::string sig2;
if (!absl::Base64Unescape(ss.second, &sig2)) {
// TODO(grfn): replace this with StatusOr
throw Error("Invalid Base64");
}
Add C++ functions for .narinfo processing / signing This is currently only used by the Hydra queue runner rework, but like eff5021eaa6dc69f65ea1a8abe8f3ab11ef5eb0a it presumably will be useful for the C++ rewrite of nix-push and download-from-binary-cache. (@shlevy)
2016-02-16 16:38:44 +01:00
if (sig2.size() != crypto_sign_BYTES) {
throw Error("signature is not valid");
style(3p/nix): Add braces around single-line conditionals These were not caught by the previous clang-tidy invocation, but were instead sorted out using amber[0] as such: ambr --regex 'if (\(.+\))\s([a-z].*;)' 'if $1 { $2 }' [0]: https://github.com/dalance/amber
2020-05-19 19:55:58 +02:00
}
Add C++ functions for .narinfo processing / signing This is currently only used by the Hydra queue runner rework, but like eff5021eaa6dc69f65ea1a8abe8f3ab11ef5eb0a it presumably will be useful for the C++ rewrite of nix-push and download-from-binary-cache. (@shlevy)
2016-02-16 16:38:44 +01:00
return crypto_sign_verify_detached(
chore(3p/nix): apply google-readability-casting Command run: jq <compile_commands.json -r 'map(.file)|.[]' | grep -v '/generated/' | parallel clang-tidy -p compile_commands.json -checks=-*,google-readability-casting --fix Manual fixes applied in src/nix-env/nix-env.cc, src/libstore/store-api.cc Change-Id: I406b4be9368c557ca59329bf6f7002704e955f8d Reviewed-on: https://cl.tvl.fyi/c/depot/+/1557 Tested-by: BuildkiteCI Reviewed-by: glittershark <grfn@gws.fyi> Reviewed-by: tazjin <mail@tazj.in>
2020-08-02 02:17:44 +02:00
reinterpret_cast<unsigned char*>(sig2.data()),
(unsigned char*)data.data(), data.size(),
(unsigned char*)key->second.key.data()) == 0;
Fix build without sodium http://hydra.nixos.org/build/32085949
2016-02-17 12:41:41 +01:00
#else
noSodium();
#endif
Add C++ functions for .narinfo processing / signing This is currently only used by the Hydra queue runner rework, but like eff5021eaa6dc69f65ea1a8abe8f3ab11ef5eb0a it presumably will be useful for the C++ rewrite of nix-push and download-from-binary-cache. (@shlevy)
2016-02-16 16:38:44 +01:00
}
Add "nix verify-paths" command Unlike "nix-store --verify-path", this command verifies signatures in addition to store path contents, is multi-threaded (especially useful when verifying binary caches), and has a progress indicator. Example use: $ nix verify-paths --store https://cache.nixos.org -r $(type -p thunderbird) ... [17/132 checked] checking ‘/nix/store/rawakphadqrqxr6zri2rmnxh03gqkrl3-autogen-5.18.6’
2016-03-29 14:29:50 +02:00
PublicKeys getDefaultPublicKeys() {
PublicKeys publicKeys;
Use secret-key-files for verifying
2016-04-07 15:07:00 +02:00
// FIXME: filter duplicates
refactor(3p/nix): Apply clang-tidy's performance-* fixes This applies the performance fixes listed here: https://clang.llvm.org/extra/clang-tidy/checks/list.html
2020-05-20 23:58:43 +02:00
for (const auto& s : settings.trustedPublicKeys.get()) {
Add "nix verify-paths" command Unlike "nix-store --verify-path", this command verifies signatures in addition to store path contents, is multi-threaded (especially useful when verifying binary caches), and has a progress indicator. Example use: $ nix verify-paths --store https://cache.nixos.org -r $(type -p thunderbird) ... [17/132 checked] checking ‘/nix/store/rawakphadqrqxr6zri2rmnxh03gqkrl3-autogen-5.18.6’
2016-03-29 14:29:50 +02:00
PublicKey key(s);
publicKeys.emplace(key.name, key);
}
Use secret-key-files for verifying
2016-04-07 15:07:00 +02:00
refactor(3p/nix): Apply clang-tidy's performance-* fixes This applies the performance fixes listed here: https://clang.llvm.org/extra/clang-tidy/checks/list.html
2020-05-20 23:58:43 +02:00
for (const auto& secretKeyFile : settings.secretKeyFiles.get()) {
Use secret-key-files for verifying
2016-04-07 15:07:00 +02:00
try {
SecretKey secretKey(readFile(secretKeyFile));
publicKeys.emplace(secretKey.name, secretKey.toPublicKey());
} catch (SysError& e) {
/* Ignore unreadable key files. That's normal in a
multi-user installation. */
}
style(3p/nix): Reformat project in Google C++ style Reformatted with: fd . -e hh -e cc | xargs clang-format -i
2020-05-17 17:31:57 +02:00
}
Use secret-key-files for verifying
2016-04-07 15:07:00 +02:00
Add "nix verify-paths" command Unlike "nix-store --verify-path", this command verifies signatures in addition to store path contents, is multi-threaded (especially useful when verifying binary caches), and has a progress indicator. Example use: $ nix verify-paths --store https://cache.nixos.org -r $(type -p thunderbird) ... [17/132 checked] checking ‘/nix/store/rawakphadqrqxr6zri2rmnxh03gqkrl3-autogen-5.18.6’
2016-03-29 14:29:50 +02:00
return publicKeys;
}
Add C++ functions for .narinfo processing / signing This is currently only used by the Hydra queue runner rework, but like eff5021eaa6dc69f65ea1a8abe8f3ab11ef5eb0a it presumably will be useful for the C++ rewrite of nix-push and download-from-binary-cache. (@shlevy)
2016-02-16 16:38:44 +01:00
} // namespace nix
Reference in a new issue Copy permalink