diff options
| author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2012-07-27T16·16-0400 |
|---|---|---|
| committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2012-07-27T16·16-0400 |
| commit | 73acb8b836affe5dfade9dd6e3339ad2f9191add (patch) | |
| tree | 756e59c48da948362ba4371f4fe2b5bbdb1c35fe /scripts | |
| parent | fbf59d95f66012349fdcd2b60f34b9efb32e6319 (diff) | |
Let build.cc verify the expected hash of a substituter's output
Since SubstitutionGoal::finished() in build.cc computes the hash anyway, we can prevent the inefficiency of computing the hash twice by letting the substituter tell Nix about the expected hash, which can then verify it.
Diffstat (limited to 'scripts')
| -rwxr-xr-x | scripts/copy-from-other-stores.pl.in | 5 | ||||
| -rw-r--r-- | scripts/download-from-binary-cache.pl.in | 11 | ||||
| -rwxr-xr-x | scripts/download-using-manifests.pl.in | 13 |
3 files changed, 9 insertions, 20 deletions
diff --git a/scripts/copy-from-other-stores.pl.in b/scripts/copy-from-other-stores.pl.in index 92869ee7a107..3ee6f075b27e 100755 --- a/scripts/copy-from-other-stores.pl.in +++ b/scripts/copy-from-other-stores.pl.in @@ -52,7 +52,7 @@ if ($ARGV[0] eq "--query") { next unless defined $store; $ENV{"NIX_DB_DIR"} = "$store/var/nix/db"; - + my $deriver = `@bindir@/nix-store --query --deriver $storePath`; die "cannot query deriver of `$storePath'" if $? != 0; chomp $deriver; @@ -87,9 +87,10 @@ elsif ($ARGV[0] eq "--substitute") { my $storePath = $ARGV[1]; my ($store, $sourcePath) = findStorePath $storePath; die unless $store; - print "\n*** Copying `$storePath' from `$sourcePath'\n\n"; + print STDERR "\n*** Copying `$storePath' from `$sourcePath'\n\n"; system("$binDir/nix-store --dump $sourcePath | $binDir/nix-store --restore $storePath") == 0 or die "cannot copy `$sourcePath' to `$storePath'"; + print "\n"; # no hash to verify } diff --git a/scripts/download-from-binary-cache.pl.in b/scripts/download-from-binary-cache.pl.in index 9e1c774a5a7b..823ecd9d9194 100644 --- a/scripts/download-from-binary-cache.pl.in +++ b/scripts/download-from-binary-cache.pl.in @@ -432,13 +432,10 @@ sub downloadBinary { die "download of `$info->{url}' failed" . ($! ? ": $!" : "") . "\n" unless $? == 0; next; } - # The hash in the manifest can be either in base-16 or - # base-32. Handle both. - $info->{narHash} =~ /^sha256:(.*)$/ or die "invalid hash"; - my $hash = $1; - my $hash2 = hashPath("sha256", 1, $storePath); - die "hash mismatch in downloaded path ‘$storePath’; expected $hash, got $hash2\n" - if $hash ne $hash2; + + # Tell Nix about the expected hash so it can verify it. + print "$info->{narHash}\n"; + print STDERR "\n"; return 1; } diff --git a/scripts/download-using-manifests.pl.in b/scripts/download-using-manifests.pl.in index ed63e792ea80..04bcce90da38 100755 --- a/scripts/download-using-manifests.pl.in +++ b/scripts/download-using-manifests.pl.in @@ -353,19 +353,10 @@ while (scalar @path > 0) { } -# Make sure that the hash declared in the manifest matches what we -# downloaded and unpacked. +# Tell Nix about the expected hash so it can verify it. die "cannot check integrity of the downloaded path since its hash is not known\n" unless defined $finalNarHash; - -my ($hashAlgo, $hash) = parseHash $finalNarHash; - -# The hash in the manifest can be either in base-16 or base-32. -# Handle both. -my $hash2 = hashPath($hashAlgo, $hashAlgo eq "sha256" && length($hash) != 64, $targetPath); - -die "hash mismatch in downloaded path $targetPath; expected $hash, got $hash2\n" - if $hash ne $hash2; +print "$finalNarHash\n"; print STDERR "\n"; |