diff options
author | Eelco Dolstra <edolstra@gmail.com> | 2017-11-20T18·02+0100 |
---|---|---|
committer | Eelco Dolstra <edolstra@gmail.com> | 2017-11-20T18·02+0100 |
commit | 0c9718aabc2dda4647e29213a26708eacd71e963 (patch) | |
tree | cc2075cba2681c52c2c4b3812cadf39fc195e891 | |
parent | 8df60b4ea8fab5fd3571e55de95a4b956f0f6105 (diff) |
Add tests for signature checking when copying between local stores
-rw-r--r-- | tests/signing.sh | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/tests/signing.sh b/tests/signing.sh index 39aaa1e765bb..221dfa35ec01 100644 --- a/tests/signing.sh +++ b/tests/signing.sh @@ -66,3 +66,23 @@ nix sign-paths --store file://$cacheDir --key-file $TEST_ROOT/sk2 $outPath2 info=$(nix path-info --store file://$cacheDir --json $outPath2) [[ $info =~ 'cache1.example.org' ]] [[ $info =~ 'cache2.example.org' ]] + +# Copying to a diverted store should fail due to a lack of valid signatures. +chmod -R u+w $TEST_ROOT/store0 || true +rm -rf $TEST_ROOT/store0 +(! nix copy --to $TEST_ROOT/store0 $outPath) + +# But succeed if we supply the public keys. +(nix copy --to $TEST_ROOT/store0 $outPath --trusted-public-keys $pk1) + +expect 2 nix verify --store $TEST_ROOT/store0 -r $outPath + +nix verify --store $TEST_ROOT/store0 -r $outPath --trusted-public-keys $pk1 +nix verify --store $TEST_ROOT/store0 -r $outPath --sigs-needed 2 --trusted-public-keys "$pk1 $pk2" + +# It should also succeed if we disable signature checking. +(! nix copy --to $TEST_ROOT/store0 $outPath2) +nix copy --to $TEST_ROOT/store0?require-sigs=false $outPath2 + +# But signatures should still get copied. +nix verify --store $TEST_ROOT/store0 -r $outPath2 --trusted-public-keys $pk1 |