binary-cache-public-keys -> trusted-public-keys
The name had become a misnomer since it's not only for substitution from binary caches, but when adding/copying any (non-content-addressed) path to a store.
This commit is contained in:
parent
ea94a87493
commit
7a2b64e55c
5 changed files with 20 additions and 19 deletions
|
@ -406,17 +406,17 @@ false</literal>.</para>
|
||||||
|
|
||||||
<listitem><para>If set to <literal>*</literal> (the default), Nix
|
<listitem><para>If set to <literal>*</literal> (the default), Nix
|
||||||
will only download binaries if they are signed using one of the
|
will only download binaries if they are signed using one of the
|
||||||
keys listed in <option>binary-cache-public-keys</option>. Set to
|
keys listed in <option>trusted-public-keys</option>. Set to
|
||||||
the empty string to disable signature checking.</para></listitem>
|
the empty string to disable signature checking.</para></listitem>
|
||||||
|
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
|
||||||
<varlistentry><term><literal>binary-cache-public-keys</literal></term>
|
<varlistentry><term><literal>trusted-public-keys</literal></term>
|
||||||
|
|
||||||
<listitem><para>A whitespace-separated list of public keys
|
<listitem><para>A whitespace-separated list of public keys. When
|
||||||
corresponding to the secret keys trusted to sign binary
|
paths are copied from another Nix store (such as a binary cache),
|
||||||
caches. For example:
|
they must be signed with one of these keys. For example:
|
||||||
<literal>cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
|
<literal>cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
|
||||||
hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=</literal>.</para></listitem>
|
hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=</literal>.</para></listitem>
|
||||||
|
|
||||||
|
|
|
@ -105,7 +105,7 @@ PublicKeys getDefaultPublicKeys()
|
||||||
|
|
||||||
// FIXME: filter duplicates
|
// FIXME: filter duplicates
|
||||||
|
|
||||||
for (auto s : settings.binaryCachePublicKeys.get()) {
|
for (auto s : settings.trustedPublicKeys.get()) {
|
||||||
PublicKey key(s);
|
PublicKey key(s);
|
||||||
publicKeys.emplace(key.name, key);
|
publicKeys.emplace(key.name, key);
|
||||||
}
|
}
|
||||||
|
|
|
@ -259,10 +259,11 @@ public:
|
||||||
Setting<bool> enforceDeterminism{this, true, "enforce-determinism",
|
Setting<bool> enforceDeterminism{this, true, "enforce-determinism",
|
||||||
"Whether to fail if repeated builds produce different output."};
|
"Whether to fail if repeated builds produce different output."};
|
||||||
|
|
||||||
Setting<Strings> binaryCachePublicKeys{this,
|
Setting<Strings> trustedPublicKeys{this,
|
||||||
{"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="},
|
{"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="},
|
||||||
"binary-cache-public-keys",
|
"trusted-public-keys",
|
||||||
"Trusted public keys for secure substitution."};
|
"Trusted public keys for secure substitution.",
|
||||||
|
{"binary-cache-public-keys"}};
|
||||||
|
|
||||||
Setting<Strings> secretKeyFiles{this, {}, "secret-key-files",
|
Setting<Strings> secretKeyFiles{this, {}, "secret-key-files",
|
||||||
"Secret keys with which to sign local builds."};
|
"Secret keys with which to sign local builds."};
|
||||||
|
|
|
@ -131,11 +131,11 @@ clearCacheCache
|
||||||
clearStore
|
clearStore
|
||||||
clearCacheCache
|
clearCacheCache
|
||||||
|
|
||||||
(! nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' --option binary-cache-public-keys "$badKey")
|
(! nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' --option trusted-public-keys "$badKey")
|
||||||
|
|
||||||
|
|
||||||
# It should succeed if we provide the correct key.
|
# It should succeed if we provide the correct key.
|
||||||
nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' --option binary-cache-public-keys "$otherKey $publicKey"
|
nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' --option trusted-public-keys "$otherKey $publicKey"
|
||||||
|
|
||||||
|
|
||||||
# It should fail if we corrupt the .narinfo.
|
# It should fail if we corrupt the .narinfo.
|
||||||
|
@ -152,10 +152,10 @@ done
|
||||||
|
|
||||||
clearCacheCache
|
clearCacheCache
|
||||||
|
|
||||||
(! nix-store -r $outPath --option binary-caches "file://$cacheDir2" --option signed-binary-caches '*' --option binary-cache-public-keys "$publicKey")
|
(! nix-store -r $outPath --option binary-caches "file://$cacheDir2" --option signed-binary-caches '*' --option trusted-public-keys "$publicKey")
|
||||||
|
|
||||||
# If we provide a bad and a good binary cache, it should succeed.
|
# If we provide a bad and a good binary cache, it should succeed.
|
||||||
|
|
||||||
nix-store -r $outPath --option binary-caches "file://$cacheDir2 file://$cacheDir" --option signed-binary-caches '*' --option binary-cache-public-keys "$publicKey"
|
nix-store -r $outPath --option binary-caches "file://$cacheDir2 file://$cacheDir" --option signed-binary-caches '*' --option trusted-public-keys "$publicKey"
|
||||||
|
|
||||||
fi # HAVE_LIBSODIUM
|
fi # HAVE_LIBSODIUM
|
||||||
|
|
|
@ -22,13 +22,13 @@ nix verify -r $outPath
|
||||||
|
|
||||||
expect 2 nix verify -r $outPath --sigs-needed 1
|
expect 2 nix verify -r $outPath --sigs-needed 1
|
||||||
|
|
||||||
nix verify -r $outPath --sigs-needed 1 --binary-cache-public-keys $pk1
|
nix verify -r $outPath --sigs-needed 1 --trusted-public-keys $pk1
|
||||||
|
|
||||||
expect 2 nix verify -r $outPath --sigs-needed 2 --binary-cache-public-keys $pk1
|
expect 2 nix verify -r $outPath --sigs-needed 2 --trusted-public-keys $pk1
|
||||||
|
|
||||||
nix verify -r $outPath --sigs-needed 2 --binary-cache-public-keys "$pk1 $pk2"
|
nix verify -r $outPath --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
|
||||||
|
|
||||||
nix verify --all --sigs-needed 2 --binary-cache-public-keys "$pk1 $pk2"
|
nix verify --all --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
|
||||||
|
|
||||||
# Build something unsigned.
|
# Build something unsigned.
|
||||||
outPath2=$(nix-build simple.nix --no-out-link)
|
outPath2=$(nix-build simple.nix --no-out-link)
|
||||||
|
@ -45,12 +45,12 @@ nix verify -r $outPath2
|
||||||
|
|
||||||
expect 2 nix verify -r $outPath2 --sigs-needed 1
|
expect 2 nix verify -r $outPath2 --sigs-needed 1
|
||||||
|
|
||||||
expect 2 nix verify -r $outPath2 --sigs-needed 1 --binary-cache-public-keys $pk1
|
expect 2 nix verify -r $outPath2 --sigs-needed 1 --trusted-public-keys $pk1
|
||||||
|
|
||||||
# Test "nix sign-paths".
|
# Test "nix sign-paths".
|
||||||
nix sign-paths --key-file $TEST_ROOT/sk1 $outPath2
|
nix sign-paths --key-file $TEST_ROOT/sk1 $outPath2
|
||||||
|
|
||||||
nix verify -r $outPath2 --sigs-needed 1 --binary-cache-public-keys $pk1
|
nix verify -r $outPath2 --sigs-needed 1 --trusted-public-keys $pk1
|
||||||
|
|
||||||
# Copy to a binary cache.
|
# Copy to a binary cache.
|
||||||
nix copy --to file://$cacheDir $outPath2
|
nix copy --to file://$cacheDir $outPath2
|
||||||
|
|
Loading…
Reference in a new issue