about summary refs log tree commit diff
diff options
context:
space:
mode:
authorEelco Dolstra <edolstra@gmail.com>2017-11-20T16·44+0100
committerEelco Dolstra <edolstra@gmail.com>2017-11-20T16·44+0100
commit91a19876073a2ed8fef2139fba906cfac1e96f83 (patch)
tree6f1bd48a8127d19a20d5b877c946f2a49d985f63
parentd0b88db44138c6348bb8ed587286f6016ea11f4a (diff)
signed-binary-caches -> require-sigs
Unlike signed-binary-caches (which could only be '*' or ''),
require-sigs is a proper Boolean option. The default is true.
-rw-r--r--doc/manual/command-ref/conf-file.xml13
-rw-r--r--src/libstore/globals.hh5
-rw-r--r--src/libstore/local-store.hh2
-rw-r--r--tests/binary-cache.sh18
-rw-r--r--tests/repair.sh4
5 files changed, 25 insertions, 17 deletions
diff --git a/doc/manual/command-ref/conf-file.xml b/doc/manual/command-ref/conf-file.xml
index a28f70899141..c3a9cc56063a 100644
--- a/doc/manual/command-ref/conf-file.xml
+++ b/doc/manual/command-ref/conf-file.xml
@@ -402,12 +402,15 @@ false</literal>.</para>
   </varlistentry>
 
 
-  <varlistentry><term><literal>signed-binary-caches</literal></term>
+  <varlistentry><term><literal>require-sigs</literal></term>
 
-    <listitem><para>If set to <literal>*</literal> (the default), Nix
-    will only download binaries if they are signed using one of the
-    keys listed in <option>trusted-public-keys</option>. Set to
-    the empty string to disable signature checking.</para></listitem>
+    <listitem><para>If set to <literal>true</literal> (the default),
+    any non-content-addressed path added or copied to the Nix store
+    (e.g. when substituting from a binary cache) must have a valid
+    signature, that is, be signed using one of the keys listed in
+    <option>trusted-public-keys</option>. Set to
+    <literal>false</literal> to disable signature
+    checking.</para></listitem>
 
   </varlistentry>
 
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index 70c01bb32665..5c857cbb6a9c 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -281,6 +281,11 @@ public:
     Setting<std::string> signedBinaryCaches{this, "*", "signed-binary-caches",
         "Obsolete."};
 
+    Setting<bool> requireSigs{this, signedBinaryCaches == "*", "require-sigs",
+        "Whether to check that any non-content-addressed path added to the "
+        "Nix store has a valid signature (that is, one signed using a key "
+        "listed in 'trusted-public-keys'."};
+
     Setting<Strings> substituters{this,
         nixStore == "/nix/store" ? Strings{"https://cache.nixos.org/"} : Strings(),
         "substituters",
diff --git a/src/libstore/local-store.hh b/src/libstore/local-store.hh
index 0a3841133e5d..d35cd1a949eb 100644
--- a/src/libstore/local-store.hh
+++ b/src/libstore/local-store.hh
@@ -97,7 +97,7 @@ public:
 private:
 
     Setting<bool> requireSigs{(Store*) this,
-        settings.signedBinaryCaches != "", // FIXME
+        settings.requireSigs,
         "require-sigs", "whether store paths should have a trusted signature on import"};
 
     PublicKeys publicKeys;
diff --git a/tests/binary-cache.sh b/tests/binary-cache.sh
index f7c0b2f78916..dd8dae687e9c 100644
--- a/tests/binary-cache.sh
+++ b/tests/binary-cache.sh
@@ -18,7 +18,7 @@ basicTests() {
 
     nix-env --option binary-caches "file://$cacheDir" -f dependencies.nix -qas \* | grep -- "---"
 
-    nix-store --option binary-caches "file://$cacheDir" --option signed-binary-caches '' -r $outPath
+    nix-store --option binary-caches "file://$cacheDir" --no-require-sigs -r $outPath
 
     [ -x $outPath/program ]
 
@@ -34,7 +34,7 @@ basicTests() {
     x=$(nix-env -f dependencies.nix -qas \* --prebuilt-only)
     [ -z "$x" ]
 
-    nix-store --option binary-caches "file://$cacheDir" --option signed-binary-caches '' -r $outPath
+    nix-store --option binary-caches "file://$cacheDir" --no-require-sigs -r $outPath
 
     nix-store --check-validity $outPath
     nix-store -qR $outPath | grep input-2
@@ -63,7 +63,7 @@ mv $nar $nar.good
 mkdir -p $TEST_ROOT/empty
 nix-store --dump $TEST_ROOT/empty | xz > $nar
 
-nix-build --option binary-caches "file://$cacheDir" --option signed-binary-caches '' dependencies.nix -o $TEST_ROOT/result 2>&1 | tee $TEST_ROOT/log
+nix-build --option binary-caches "file://$cacheDir" --no-require-sigs dependencies.nix -o $TEST_ROOT/result 2>&1 | tee $TEST_ROOT/log
 grep -q "hash mismatch" $TEST_ROOT/log
 
 mv $nar.good $nar
@@ -99,7 +99,7 @@ clearStore
 
 rm $(grep -l "StorePath:.*dependencies-input-2" $cacheDir/*.narinfo)
 
-nix-build --option binary-caches "file://$cacheDir" --option signed-binary-caches '' dependencies.nix -o $TEST_ROOT/result 2>&1 | tee $TEST_ROOT/log
+nix-build --option binary-caches "file://$cacheDir" --no-require-sigs dependencies.nix -o $TEST_ROOT/result 2>&1 | tee $TEST_ROOT/log
 grep -q "copying path" $TEST_ROOT/log
 
 
@@ -124,18 +124,18 @@ nix copy --to file://$cacheDir?secret-key=$TEST_ROOT/sk1 $outPath
 clearStore
 clearCacheCache
 
-(! nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' )
+(! nix-store -r $outPath --option binary-caches "file://$cacheDir")
 
 
 # And it should fail if we provide an incorrect key.
 clearStore
 clearCacheCache
 
-(! nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' --option trusted-public-keys "$badKey")
+(! nix-store -r $outPath --option binary-caches "file://$cacheDir" --option trusted-public-keys "$badKey")
 
 
 # It should succeed if we provide the correct key.
-nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' --option trusted-public-keys "$otherKey $publicKey"
+nix-store -r $outPath --option binary-caches "file://$cacheDir" --option trusted-public-keys "$otherKey $publicKey"
 
 
 # It should fail if we corrupt the .narinfo.
@@ -152,10 +152,10 @@ done
 
 clearCacheCache
 
-(! nix-store -r $outPath --option binary-caches "file://$cacheDir2" --option signed-binary-caches '*' --option trusted-public-keys "$publicKey")
+(! nix-store -r $outPath --option binary-caches "file://$cacheDir2" --option trusted-public-keys "$publicKey")
 
 # If we provide a bad and a good binary cache, it should succeed.
 
-nix-store -r $outPath --option binary-caches "file://$cacheDir2 file://$cacheDir" --option signed-binary-caches '*' --option trusted-public-keys "$publicKey"
+nix-store -r $outPath --option binary-caches "file://$cacheDir2 file://$cacheDir" --option trusted-public-keys "$publicKey"
 
 fi # HAVE_LIBSODIUM
diff --git a/tests/repair.sh b/tests/repair.sh
index 7c928e3be73c..7f9f97fd06e3 100644
--- a/tests/repair.sh
+++ b/tests/repair.sh
@@ -51,7 +51,7 @@ nix copy --to file://$cacheDir $path
 chmod u+w $path2
 rm -rf $path2
 
-nix-store --verify --check-contents --repair --option binary-caches "file://$cacheDir" --option signed-binary-caches ''
+nix-store --verify --check-contents --repair --option binary-caches "file://$cacheDir" --no-require-sigs
 
 if [ "$(nix-hash $path2)" != "$hash" -o -e $path2/bad ]; then
     echo "path not repaired properly" >&2
@@ -69,7 +69,7 @@ if nix-store --verify-path $path2; then
     exit 1
 fi
 
-nix-store --repair-path $path2 --option binary-caches "file://$cacheDir" --option signed-binary-caches ''
+nix-store --repair-path $path2 --option binary-caches "file://$cacheDir" --no-require-sigs
 
 if [ "$(nix-hash $path2)" != "$hash" -o -e $path2/bad ]; then
     echo "path not repaired properly" >&2