diff options
author | Eelco Dolstra <edolstra@gmail.com> | 2017-11-14T17·44+0100 |
---|---|---|
committer | Eelco Dolstra <edolstra@gmail.com> | 2017-11-14T17·44+0100 |
commit | ec5b04862ba48e6d7e61c8bf730ae37d48b6f70a (patch) | |
tree | b904eb55d71ee13ebdee6cab728fae69bd474b79 | |
parent | d6dbda7004fda4af1fc89c5c947b4d1595a8c436 (diff) |
nix sign-paths: Support binary caches
-rw-r--r-- | src/libstore/binary-cache-store.cc | 47 | ||||
-rw-r--r-- | src/libstore/binary-cache-store.hh | 5 | ||||
-rw-r--r-- | tests/signing.sh | 6 |
3 files changed, 43 insertions, 15 deletions
diff --git a/src/libstore/binary-cache-store.cc b/src/libstore/binary-cache-store.cc index 93caba67ea94..68af85bf16d9 100644 --- a/src/libstore/binary-cache-store.cc +++ b/src/libstore/binary-cache-store.cc @@ -73,6 +73,23 @@ Path BinaryCacheStore::narInfoFileFor(const Path & storePath) return storePathToHash(storePath) + ".narinfo"; } +void BinaryCacheStore::writeNarInfo(ref<NarInfo> narInfo) +{ + auto narInfoFile = narInfoFileFor(narInfo->path); + + upsertFile(narInfoFile, narInfo->to_string(), "text/x-nix-narinfo"); + + auto hashPart = storePathToHash(narInfo->path); + + { + auto state_(state.lock()); + state_->pathInfoCache.upsert(hashPart, std::shared_ptr<NarInfo>(narInfo)); + } + + if (diskCache) + diskCache->upsertNarInfo(getUri(), hashPart, std::shared_ptr<NarInfo>(narInfo)); +} + void BinaryCacheStore::addToStore(const ValidPathInfo & info, const ref<std::string> & nar, RepairFlag repair, CheckSigsFlag checkSigs, std::shared_ptr<FSAccessor> accessor) { @@ -89,8 +106,6 @@ void BinaryCacheStore::addToStore(const ValidPathInfo & info, const ref<std::str % info.path % ref); } - auto narInfoFile = narInfoFileFor(info.path); - assert(nar->compare(0, narMagic.size(), narMagic) == 0); auto narInfo = make_ref<NarInfo>(info); @@ -168,17 +183,7 @@ void BinaryCacheStore::addToStore(const ValidPathInfo & info, const ref<std::str /* Atomically write the NAR info file.*/ if (secretKey) narInfo->sign(*secretKey); - upsertFile(narInfoFile, narInfo->to_string(), "text/x-nix-narinfo"); - - auto hashPart = storePathToHash(narInfo->path); - - { - auto state_(state.lock()); - state_->pathInfoCache.upsert(hashPart, std::shared_ptr<NarInfo>(narInfo)); - } - - if (diskCache) - diskCache->upsertNarInfo(getUri(), hashPart, std::shared_ptr<NarInfo>(narInfo)); + writeNarInfo(narInfo); stats.narInfoWrite++; } @@ -293,6 +298,22 @@ ref<FSAccessor> BinaryCacheStore::getFSAccessor() return make_ref<RemoteFSAccessor>(ref<Store>(shared_from_this()), localNarCache); } +void BinaryCacheStore::addSignatures(const Path & storePath, const StringSet & sigs) +{ + /* Note: this is inherently racy since there is no locking on + binary caches. In particular, with S3 this unreliable, even + when addSignatures() is called sequentially on a path, because + S3 might return an outdated cached version. */ + + auto narInfo = make_ref<NarInfo>((NarInfo &) *queryPathInfo(storePath)); + + narInfo->sigs.insert(sigs.begin(), sigs.end()); + + auto narInfoFile = narInfoFileFor(narInfo->path); + + writeNarInfo(narInfo); +} + std::shared_ptr<std::string> BinaryCacheStore::getBuildLog(const Path & path) { Path drvPath; diff --git a/src/libstore/binary-cache-store.hh b/src/libstore/binary-cache-store.hh index d3b0e0bd9332..8492ff600eba 100644 --- a/src/libstore/binary-cache-store.hh +++ b/src/libstore/binary-cache-store.hh @@ -59,6 +59,8 @@ private: std::string narInfoFileFor(const Path & storePath); + void writeNarInfo(ref<NarInfo> narInfo); + public: bool isValidPathUncached(const Path & path) override; @@ -119,8 +121,7 @@ public: ref<FSAccessor> getFSAccessor() override; - void addSignatures(const Path & storePath, const StringSet & sigs) override - { unsupported(); } + void addSignatures(const Path & storePath, const StringSet & sigs) override; std::shared_ptr<std::string> getBuildLog(const Path & path) override; diff --git a/tests/signing.sh b/tests/signing.sh index c3638012e109..bef27ac7a58e 100644 --- a/tests/signing.sh +++ b/tests/signing.sh @@ -60,3 +60,9 @@ info=$(nix path-info --store file://$cacheDir --json $outPath2) (! [[ $info =~ '"ultimate":true' ]]) [[ $info =~ 'cache1.example.org' ]] (! [[ $info =~ 'cache2.example.org' ]]) + +# Verify that adding a signature to a path in a binary cache works. +nix sign-paths --store file://$cacheDir --key-file $TEST_ROOT/sk2 $outPath2 +info=$(nix path-info --store file://$cacheDir --json $outPath2) +[[ $info =~ 'cache1.example.org' ]] +[[ $info =~ 'cache2.example.org' ]] |