Move signatures from NarInfo to ValidPathInfo
This allows queryPathInfo() to return signatures.
This commit is contained in:
parent
cebc150b7c
commit
712b616a84
4 changed files with 21 additions and 11 deletions
|
@ -126,8 +126,8 @@ NarInfo BinaryCacheStore::readNarInfo(const Path & storePath)
|
||||||
stats.narInfoRead++;
|
stats.narInfoRead++;
|
||||||
|
|
||||||
if (publicKeys) {
|
if (publicKeys) {
|
||||||
if (!narInfo->checkSignature(*publicKeys))
|
if (!narInfo->checkSignatures(*publicKeys))
|
||||||
throw Error(format("invalid signature on NAR info file ‘%1%’") % narInfoFile);
|
throw Error(format("no good signature on NAR info file ‘%1%’") % narInfoFile);
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
|
|
|
@ -66,7 +66,7 @@ NarInfo::NarInfo(const std::string & s, const std::string & whence)
|
||||||
else if (name == "System")
|
else if (name == "System")
|
||||||
system = value;
|
system = value;
|
||||||
else if (name == "Sig")
|
else if (name == "Sig")
|
||||||
sig = value;
|
sigs.insert(value);
|
||||||
|
|
||||||
pos = eol + 1;
|
pos = eol + 1;
|
||||||
}
|
}
|
||||||
|
@ -98,7 +98,7 @@ std::string NarInfo::to_string() const
|
||||||
if (!system.empty())
|
if (!system.empty())
|
||||||
res += "System: " + system + "\n";
|
res += "System: " + system + "\n";
|
||||||
|
|
||||||
if (!sig.empty())
|
for (auto sig : sigs)
|
||||||
res += "Sig: " + sig + "\n";
|
res += "Sig: " + sig + "\n";
|
||||||
|
|
||||||
return res;
|
return res;
|
||||||
|
@ -123,12 +123,16 @@ Strings NarInfo::shortRefs() const
|
||||||
|
|
||||||
void NarInfo::sign(const SecretKey & secretKey)
|
void NarInfo::sign(const SecretKey & secretKey)
|
||||||
{
|
{
|
||||||
sig = secretKey.signDetached(fingerprint());
|
sigs.insert(secretKey.signDetached(fingerprint()));
|
||||||
}
|
}
|
||||||
|
|
||||||
bool NarInfo::checkSignature(const PublicKeys & publicKeys) const
|
unsigned int NarInfo::checkSignatures(const PublicKeys & publicKeys) const
|
||||||
{
|
{
|
||||||
return sig != "" && verifyDetached(fingerprint(), sig, publicKeys);
|
unsigned int good = 0;
|
||||||
|
for (auto & sig : sigs)
|
||||||
|
if (verifyDetached(fingerprint(), sig, publicKeys))
|
||||||
|
good++;
|
||||||
|
return good;
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -13,7 +13,6 @@ struct NarInfo : ValidPathInfo
|
||||||
Hash fileHash;
|
Hash fileHash;
|
||||||
uint64_t fileSize = 0;
|
uint64_t fileSize = 0;
|
||||||
std::string system;
|
std::string system;
|
||||||
std::string sig; // FIXME: support multiple signatures
|
|
||||||
|
|
||||||
NarInfo() { }
|
NarInfo() { }
|
||||||
NarInfo(const ValidPathInfo & info) : ValidPathInfo(info) { }
|
NarInfo(const ValidPathInfo & info) : ValidPathInfo(info) { }
|
||||||
|
@ -31,9 +30,9 @@ struct NarInfo : ValidPathInfo
|
||||||
|
|
||||||
void sign(const SecretKey & secretKey);
|
void sign(const SecretKey & secretKey);
|
||||||
|
|
||||||
/* Return true iff this .narinfo is signed by one of the specified
|
/* Return the number of signatures on this .narinfo that were
|
||||||
keys. */
|
produced by one of the specified keys. */
|
||||||
bool checkSignature(const PublicKeys & publicKeys) const;
|
unsigned int checkSignatures(const PublicKeys & publicKeys) const;
|
||||||
|
|
||||||
private:
|
private:
|
||||||
|
|
||||||
|
|
|
@ -98,6 +98,13 @@ struct ValidPathInfo
|
||||||
unsigned long long narSize = 0; // 0 = unknown
|
unsigned long long narSize = 0; // 0 = unknown
|
||||||
unsigned long long id; // internal use only
|
unsigned long long id; // internal use only
|
||||||
|
|
||||||
|
/* Whether the path is ultimately trusted, that is, it was built
|
||||||
|
locally or is content-addressable (e.g. added via addToStore()
|
||||||
|
or the result of a fixed-output derivation). */
|
||||||
|
bool ultimate = false;
|
||||||
|
|
||||||
|
StringSet sigs; // note: not necessarily verified
|
||||||
|
|
||||||
bool operator == (const ValidPathInfo & i) const
|
bool operator == (const ValidPathInfo & i) const
|
||||||
{
|
{
|
||||||
return
|
return
|
||||||
|
|
Loading…
Reference in a new issue