Sign locally-built paths
Locally-built paths are now signed automatically using the secret keys specified by the ‘secret-key-files’ option.
This commit is contained in:
parent
dc82160164
commit
e39999ed48
3 changed files with 24 additions and 1 deletions
|
@ -2748,6 +2748,7 @@ void DerivationGoal::registerOutputs()
|
|||
trusted. */
|
||||
if (!info.ultimate) {
|
||||
info.ultimate = true;
|
||||
worker.store.signPathInfo(info);
|
||||
worker.store.registerValidPaths({info});
|
||||
}
|
||||
|
||||
|
@ -2808,6 +2809,8 @@ void DerivationGoal::registerOutputs()
|
|||
info.references = references;
|
||||
info.deriver = drvPath;
|
||||
info.ultimate = true;
|
||||
worker.store.signPathInfo(info);
|
||||
|
||||
infos.push_back(info);
|
||||
}
|
||||
|
||||
|
|
|
@ -310,7 +310,7 @@ void LocalStore::openDB(bool create)
|
|||
|
||||
/* Prepare SQL statements. */
|
||||
stmtRegisterValidPath.create(db,
|
||||
"insert into ValidPaths (path, hash, registrationTime, deriver, narSize, ultimate) values (?, ?, ?, ?, ?, ?);");
|
||||
"insert into ValidPaths (path, hash, registrationTime, deriver, narSize, ultimate, sigs) values (?, ?, ?, ?, ?, ?, ?);");
|
||||
stmtUpdatePathInfo.create(db,
|
||||
"update ValidPaths set narSize = ?, hash = ?, ultimate = ?, sigs = ? where path = ?;");
|
||||
stmtAddReference.create(db,
|
||||
|
@ -547,6 +547,7 @@ uint64_t LocalStore::addValidPath(const ValidPathInfo & info, bool checkOutputs)
|
|||
(info.deriver, info.deriver != "")
|
||||
(info.narSize, info.narSize != 0)
|
||||
(info.ultimate ? 1 : 0, info.ultimate)
|
||||
(concatStringsSep(" ", info.sigs), !info.sigs.empty())
|
||||
.exec();
|
||||
uint64_t id = sqlite3_last_insert_rowid(db);
|
||||
|
||||
|
@ -1710,4 +1711,17 @@ void LocalStore::addSignatures(const Path & storePath, const StringSet & sigs)
|
|||
}
|
||||
|
||||
|
||||
void LocalStore::signPathInfo(ValidPathInfo & info)
|
||||
{
|
||||
// FIXME: keep secret keys in memory.
|
||||
|
||||
auto secretKeyFiles = settings.get("secret-key-files", Strings());
|
||||
|
||||
for (auto & secretKeyFile : secretKeyFiles) {
|
||||
SecretKey secretKey(readFile(secretKeyFile));
|
||||
info.sign(secretKey);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
|
|
@ -301,6 +301,12 @@ private:
|
|||
// Internal versions that are not wrapped in retry_sqlite.
|
||||
bool isValidPath_(const Path & path);
|
||||
void queryReferrers_(const Path & path, PathSet & referrers);
|
||||
|
||||
/* Add signatures to a ValidPathInfo using the secret keys
|
||||
specified by the ‘secret-key-files’ option. */
|
||||
void signPathInfo(ValidPathInfo & info);
|
||||
|
||||
friend class DerivationGoal;
|
||||
};
|
||||
|
||||
|
||||
|
|
Loading…
Reference in a new issue