about summary refs log tree commit diff
diff options
context:
space:
mode:
authorEelco Dolstra <eelco.dolstra@logicblox.com>2016-05-30T11·55+0200
committerEelco Dolstra <eelco.dolstra@logicblox.com>2016-05-30T13·18+0200
commit3593c8285dec644f07156496fd8cd84ef70ec665 (patch)
tree9ad57876fc842299c6a8948840d05437c12df945
parent12ddbad45893f125e2ab46c5e26d7c8396b31bdb (diff)
Re-implement binary cache signature checking
This is now done in LocalStore::addToStore(), rather than in the
binary cache substituter (which no longer exists).
-rw-r--r--src/libstore/local-store.cc5
-rw-r--r--src/libstore/local-store.hh4
-rw-r--r--tests/binary-cache.sh2
3 files changed, 10 insertions, 1 deletions
diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc
index 8608b39ec5bd..b44384957ca6 100644
--- a/src/libstore/local-store.cc
+++ b/src/libstore/local-store.cc
@@ -58,6 +58,8 @@ LocalStore::LocalStore()
     : linksDir(settings.nixStore + "/.links")
     , reservedPath(settings.nixDBPath + "/reserved")
     , schemaPath(settings.nixDBPath + "/schema")
+    , requireSigs(settings.get("signed-binary-caches", std::string("")) != "") // FIXME: rename option
+    , publicKeys(getDefaultPublicKeys())
 {
     auto state(_state.lock());
 
@@ -909,6 +911,9 @@ void LocalStore::addToStore(const ValidPathInfo & info, const std::string & nar,
         throw Error(format("hash mismatch importing path ‘%s’; expected hash ‘%s’, got ‘%s’") %
             info.path % info.narHash.to_string() % h.to_string());
 
+    if (requireSigs && !info.checkSignatures(publicKeys))
+        throw Error(format("cannot import path ‘%s’ because it lacks a valid signature") % info.path);
+
     addTempRoot(info.path);
 
     if (repair || !isValidPath(info.path)) {
diff --git a/src/libstore/local-store.hh b/src/libstore/local-store.hh
index e714f8e0feb1..8de58cea8e43 100644
--- a/src/libstore/local-store.hh
+++ b/src/libstore/local-store.hh
@@ -77,6 +77,10 @@ private:
     const Path reservedPath;
     const Path schemaPath;
 
+    bool requireSigs;
+
+    PublicKeys publicKeys;
+
 public:
 
     /* Initialise the local store, upgrading the schema if
diff --git a/tests/binary-cache.sh b/tests/binary-cache.sh
index cadd634a2a32..b0b91905ad9e 100644
--- a/tests/binary-cache.sh
+++ b/tests/binary-cache.sh
@@ -85,7 +85,7 @@ clearStore
 rm $(grep -l "StorePath:.*dependencies-input-2" $cacheDir/*.narinfo)
 
 nix-build --option binary-caches "file://$cacheDir" dependencies.nix -o $TEST_ROOT/result 2>&1 | tee $TEST_ROOT/log
-grep -q "Downloading" $TEST_ROOT/log
+grep -q "fetching path" $TEST_ROOT/log
 
 
 if [ -n "$HAVE_SODIUM" ]; then