From 3593c8285dec644f07156496fd8cd84ef70ec665 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Mon, 30 May 2016 13:55:09 +0200 Subject: [PATCH] Re-implement binary cache signature checking This is now done in LocalStore::addToStore(), rather than in the binary cache substituter (which no longer exists). --- src/libstore/local-store.cc | 5 +++++ src/libstore/local-store.hh | 4 ++++ tests/binary-cache.sh | 2 +- 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc index 8608b39ec..b44384957 100644 --- a/src/libstore/local-store.cc +++ b/src/libstore/local-store.cc @@ -58,6 +58,8 @@ LocalStore::LocalStore() : linksDir(settings.nixStore + "/.links") , reservedPath(settings.nixDBPath + "/reserved") , schemaPath(settings.nixDBPath + "/schema") + , requireSigs(settings.get("signed-binary-caches", std::string("")) != "") // FIXME: rename option + , publicKeys(getDefaultPublicKeys()) { auto state(_state.lock()); @@ -909,6 +911,9 @@ void LocalStore::addToStore(const ValidPathInfo & info, const std::string & nar, throw Error(format("hash mismatch importing path ‘%s’; expected hash ‘%s’, got ‘%s’") % info.path % info.narHash.to_string() % h.to_string()); + if (requireSigs && !info.checkSignatures(publicKeys)) + throw Error(format("cannot import path ‘%s’ because it lacks a valid signature") % info.path); + addTempRoot(info.path); if (repair || !isValidPath(info.path)) { diff --git a/src/libstore/local-store.hh b/src/libstore/local-store.hh index e714f8e0f..8de58cea8 100644 --- a/src/libstore/local-store.hh +++ b/src/libstore/local-store.hh @@ -77,6 +77,10 @@ private: const Path reservedPath; const Path schemaPath; + bool requireSigs; + + PublicKeys publicKeys; + public: /* Initialise the local store, upgrading the schema if diff --git a/tests/binary-cache.sh b/tests/binary-cache.sh index cadd634a2..b0b91905a 100644 --- a/tests/binary-cache.sh +++ b/tests/binary-cache.sh @@ -85,7 +85,7 @@ clearStore rm $(grep -l "StorePath:.*dependencies-input-2" $cacheDir/*.narinfo) nix-build --option binary-caches "file://$cacheDir" dependencies.nix -o $TEST_ROOT/result 2>&1 | tee $TEST_ROOT/log -grep -q "Downloading" $TEST_ROOT/log +grep -q "fetching path" $TEST_ROOT/log if [ -n "$HAVE_SODIUM" ]; then