Sign locally-built paths
Locally-built paths are now signed automatically using the secret keys specified by the ‘secret-key-files’ option.
This commit is contained in:
parent
dc82160164
commit
e39999ed48
3 changed files with 24 additions and 1 deletions
|
@ -2748,6 +2748,7 @@ void DerivationGoal::registerOutputs()
|
||||||
trusted. */
|
trusted. */
|
||||||
if (!info.ultimate) {
|
if (!info.ultimate) {
|
||||||
info.ultimate = true;
|
info.ultimate = true;
|
||||||
|
worker.store.signPathInfo(info);
|
||||||
worker.store.registerValidPaths({info});
|
worker.store.registerValidPaths({info});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -2808,6 +2809,8 @@ void DerivationGoal::registerOutputs()
|
||||||
info.references = references;
|
info.references = references;
|
||||||
info.deriver = drvPath;
|
info.deriver = drvPath;
|
||||||
info.ultimate = true;
|
info.ultimate = true;
|
||||||
|
worker.store.signPathInfo(info);
|
||||||
|
|
||||||
infos.push_back(info);
|
infos.push_back(info);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -310,7 +310,7 @@ void LocalStore::openDB(bool create)
|
||||||
|
|
||||||
/* Prepare SQL statements. */
|
/* Prepare SQL statements. */
|
||||||
stmtRegisterValidPath.create(db,
|
stmtRegisterValidPath.create(db,
|
||||||
"insert into ValidPaths (path, hash, registrationTime, deriver, narSize, ultimate) values (?, ?, ?, ?, ?, ?);");
|
"insert into ValidPaths (path, hash, registrationTime, deriver, narSize, ultimate, sigs) values (?, ?, ?, ?, ?, ?, ?);");
|
||||||
stmtUpdatePathInfo.create(db,
|
stmtUpdatePathInfo.create(db,
|
||||||
"update ValidPaths set narSize = ?, hash = ?, ultimate = ?, sigs = ? where path = ?;");
|
"update ValidPaths set narSize = ?, hash = ?, ultimate = ?, sigs = ? where path = ?;");
|
||||||
stmtAddReference.create(db,
|
stmtAddReference.create(db,
|
||||||
|
@ -547,6 +547,7 @@ uint64_t LocalStore::addValidPath(const ValidPathInfo & info, bool checkOutputs)
|
||||||
(info.deriver, info.deriver != "")
|
(info.deriver, info.deriver != "")
|
||||||
(info.narSize, info.narSize != 0)
|
(info.narSize, info.narSize != 0)
|
||||||
(info.ultimate ? 1 : 0, info.ultimate)
|
(info.ultimate ? 1 : 0, info.ultimate)
|
||||||
|
(concatStringsSep(" ", info.sigs), !info.sigs.empty())
|
||||||
.exec();
|
.exec();
|
||||||
uint64_t id = sqlite3_last_insert_rowid(db);
|
uint64_t id = sqlite3_last_insert_rowid(db);
|
||||||
|
|
||||||
|
@ -1710,4 +1711,17 @@ void LocalStore::addSignatures(const Path & storePath, const StringSet & sigs)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
void LocalStore::signPathInfo(ValidPathInfo & info)
|
||||||
|
{
|
||||||
|
// FIXME: keep secret keys in memory.
|
||||||
|
|
||||||
|
auto secretKeyFiles = settings.get("secret-key-files", Strings());
|
||||||
|
|
||||||
|
for (auto & secretKeyFile : secretKeyFiles) {
|
||||||
|
SecretKey secretKey(readFile(secretKeyFile));
|
||||||
|
info.sign(secretKey);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -301,6 +301,12 @@ private:
|
||||||
// Internal versions that are not wrapped in retry_sqlite.
|
// Internal versions that are not wrapped in retry_sqlite.
|
||||||
bool isValidPath_(const Path & path);
|
bool isValidPath_(const Path & path);
|
||||||
void queryReferrers_(const Path & path, PathSet & referrers);
|
void queryReferrers_(const Path & path, PathSet & referrers);
|
||||||
|
|
||||||
|
/* Add signatures to a ValidPathInfo using the secret keys
|
||||||
|
specified by the ‘secret-key-files’ option. */
|
||||||
|
void signPathInfo(ValidPathInfo & info);
|
||||||
|
|
||||||
|
friend class DerivationGoal;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue