diff options
| author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2014-01-08T14·23+0100 |
|---|---|---|
| committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2014-01-08T14·42+0100 |
| commit | 0fdf4da0e979f992db75cc17376e455ddc5a96d8 (patch) | |
| tree | d80846735c2ea6f0dc3307e94d9edc2087686896 /scripts | |
| parent | 405434e084fa994cc957249db7787731e9311fa8 (diff) | |
Support cryptographically signed binary caches
NAR info files in binary caches can now have a cryptographic signature that Nix will verify before using the corresponding NAR file. To create a private/public key pair for signing and verifying a binary cache, do: $ openssl genrsa -out ./cache-key.sec 2048 $ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub You should also come up with a symbolic name for the key, such as "cache.example.org-1". This will be used by clients to look up the public key. (It's a good idea to number keys, in case you ever need to revoke/replace one.) To create a binary cache signed with the private key: $ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1 The public key (cache-key.pub) should be distributed to the clients. They should have a nix.conf should contain something like: signed-binary-caches = * binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub If all works well, then if Nix fetches something from the signed binary cache, you will see a message like: *** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’... On the other hand, if the signature is wrong, you get a message like NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring Signatures are implemented as a single line appended to the NAR info file, which looks like this: Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ== Thus the signature has 3 fields: a version (currently "1"), the ID of key, and the base64-encoded signature of the SHA-256 hash of the contents of the NAR info file up to but not including the Signature line. Issue #75.
Diffstat (limited to 'scripts')
| -rw-r--r-- | scripts/download-from-binary-cache.pl.in | 24 | ||||
| -rwxr-xr-x | scripts/nix-push.in | 18 |
2 files changed, 35 insertions, 7 deletions
diff --git a/scripts/download-from-binary-cache.pl.in b/scripts/download-from-binary-cache.pl.in index 950bcd178527..e6925d7316d0 100644 --- a/scripts/download-from-binary-cache.pl.in +++ b/scripts/download-from-binary-cache.pl.in @@ -42,6 +42,8 @@ my $caBundle = $ENV{"CURL_CA_BUNDLE"} // $ENV{"OPENSSL_X509_CERT_FILE"}; my $userName = getpwuid($<) or die "cannot figure out user name"; +my $requireSignedBinaryCaches = ($Nix::Config::config{"signed-binary-caches"} // "0") ne "0"; + sub addRequest { my ($storePath, $url, $head) = @_; @@ -120,9 +122,10 @@ sub processRequests { sub initCache { - my $dbPath = "$Nix::Config::stateDir/binary-cache-v2.sqlite"; + my $dbPath = "$Nix::Config::stateDir/binary-cache-v3.sqlite"; unlink "$Nix::Config::stateDir/binary-cache-v1.sqlite"; + unlink "$Nix::Config::stateDir/binary-cache-v2.sqlite"; # Open/create the database. $dbh = DBI->connect("dbi:SQLite:dbname=$dbPath", "", "") @@ -159,7 +162,7 @@ EOF narSize integer, refs text, deriver text, - system text, + signedBy text, timestamp integer not null, primary key (cache, storePath), foreign key (cache) references BinaryCaches(id) on delete cascade @@ -183,7 +186,7 @@ EOF $insertNAR = $dbh->prepare( "insert or replace into NARs(cache, storePath, url, compression, fileHash, fileSize, narHash, " . - "narSize, refs, deriver, system, timestamp) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)") or die; + "narSize, refs, deriver, signedBy, timestamp) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)") or die; $queryNAR = $dbh->prepare("select * from NARs where cache = ? and storePath = ?") or die; @@ -309,14 +312,16 @@ sub processNARInfo { return undef; } - my $narInfo = parseNARInfo($storePath, $request->{content}); + my $narInfo = parseNARInfo($storePath, $request->{content}, $requireSignedBinaryCaches, $request->{url}); return undef unless defined $narInfo; + die if $requireSignedBinaryCaches && !defined $narInfo->{signedBy}; + # Cache the result. $insertNAR->execute( $cache->{id}, basename($storePath), $narInfo->{url}, $narInfo->{compression}, $narInfo->{fileHash}, $narInfo->{fileSize}, $narInfo->{narHash}, $narInfo->{narSize}, - join(" ", @{$narInfo->{refs}}), $narInfo->{deriver}, $narInfo->{system}, time()) + join(" ", @{$narInfo->{refs}}), $narInfo->{deriver}, $narInfo->{signedBy}, time()) if shouldCache $request->{url}; return $narInfo; @@ -330,6 +335,10 @@ sub getCachedInfoFrom { my $res = $queryNAR->fetchrow_hashref(); return undef unless defined $res; + # We may previously have cached this info when signature checking + # was disabled. In that case, ignore the cached info. + return undef if $requireSignedBinaryCaches && !defined $res->{signedBy}; + return { url => $res->{url} , compression => $res->{compression} @@ -339,6 +348,7 @@ sub getCachedInfoFrom { , narSize => $res->{narSize} , refs => [ split " ", $res->{refs} ] , deriver => $res->{deriver} + , signedBy => $res->{signedBy} } if defined $res; } @@ -522,7 +532,8 @@ sub downloadBinary { next; } my $url = "$cache->{url}/$info->{url}"; # FIXME: handle non-relative URLs - print STDERR "\n*** Downloading ‘$url’ to ‘$storePath’...\n"; + die if $requireSignedBinaryCaches && !defined $info->{signedBy}; + print STDERR "\n*** Downloading ‘$url’ ", ($requireSignedBinaryCaches ? "(signed by ‘$info->{signedBy}’) " : ""), "to ‘$storePath’...\n"; checkURL $url; if (system("$Nix::Config::curl --fail --location --insecure '$url' $decompressor | $Nix::Config::binDir/nix-store --restore $destPath") != 0) { warn "download of `$url' failed" . ($! ? ": $!" : "") . "\n"; @@ -530,6 +541,7 @@ sub downloadBinary { } # Tell Nix about the expected hash so it can verify it. + die unless defined $info->{narHash} && $info->{narHash} ne ""; print "$info->{narHash}\n"; print STDERR "\n"; diff --git a/scripts/nix-push.in b/scripts/nix-push.in index 2c392c4155d7..bdd128a6f5c2 100755 --- a/scripts/nix-push.in +++ b/scripts/nix-push.in @@ -10,6 +10,7 @@ use Nix::Config; use Nix::Store; use Nix::Manifest; use Nix::Utils; +use Nix::Crypto; my $tmpDir = tempdir("nix-push.XXXXXX", CLEANUP => 1, TMPDIR => 1) or die "cannot create a temporary directory"; @@ -25,6 +26,8 @@ my $writeManifest = 0; my $manifestPath; my $archivesURL; my $link = 0; +my $privateKeyFile; +my $keyName; my @roots; for (my $n = 0; $n < scalar @ARGV; $n++) { @@ -57,6 +60,14 @@ for (my $n = 0; $n < scalar @ARGV; $n++) { $archivesURL = $ARGV[$n]; } elsif ($arg eq "--link") { $link = 1; + } elsif ($arg eq "--key") { + $n++; + die "$0: `$arg' requires an argument\n" unless $n < scalar @ARGV; + $privateKeyFile = $ARGV[$n]; + } elsif ($arg eq "--key-name") { + $n++; + die "$0: `$arg' requires an argument\n" unless $n < scalar @ARGV; + $keyName = $ARGV[$n]; } elsif (substr($arg, 0, 1) eq "-") { die "$0: unknown flag `$arg'\n"; } else { @@ -99,7 +110,7 @@ foreach my $storePath (@storePaths) { my $pathHash = substr(basename($storePath), 0, 32); my $narInfoFile = "$destDir/$pathHash.narinfo"; if (-e $narInfoFile) { - my $narInfo = parseNARInfo($storePath, readFile($narInfoFile)); + my $narInfo = parseNARInfo($storePath, readFile($narInfoFile), 0, $narInfoFile) or die "cannot read `$narInfoFile'\n"; my $narFile = "$destDir/$narInfo->{url}"; if (-e $narFile) { print STDERR "skipping existing $storePath\n"; @@ -245,6 +256,11 @@ for (my $n = 0; $n < scalar @storePaths2; $n++) { } } + if (defined $privateKeyFile && defined $keyName) { + my $sig = signString($privateKeyFile, $info); + $info .= "Signature: 1;$keyName;$sig\n"; + } + my $pathHash = substr(basename($storePath), 0, 32); $dst = "$destDir/$pathHash.narinfo"; |