diff options
| author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2015-02-17T12·16+0100 |
|---|---|---|
| committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2015-02-17T12·16+0100 |
| commit | f19b4abfb2c238a98f749812c9ba294dd98d8bd0 (patch) | |
| tree | c135e5fcc4e1dc2722119c624adb80a6385f80c5 /scripts | |
| parent | 8c8750ae661559613ee357d5814505b933258aaf (diff) | |
Include NAR size in fingerprint computation
This is not strictly needed for integrity (since we already include the NAR hash in the fingerprint) but it helps against endless data attacks [1]. (However, this will also require download-from-binary-cache.pl to bail out if it receives more than the specified number of bytes.) [1] https://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.pdf
Diffstat (limited to 'scripts')
| -rwxr-xr-x | scripts/nix-push.in | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/scripts/nix-push.in b/scripts/nix-push.in index a060ea128fd1..d5d3bc1e7e79 100755 --- a/scripts/nix-push.in +++ b/scripts/nix-push.in @@ -257,7 +257,7 @@ for (my $n = 0; $n < scalar @storePaths2; $n++) { chomp $s; my ($keyName, $secretKey) = split ":", $s; die "invalid secret key file ‘$secretKeyFile’\n" unless defined $keyName && defined $secretKey; - my $fingerprint = fingerprintPath($storePath, $narHash, $refs); + my $fingerprint = fingerprintPath($storePath, $narHash, $narSize, $refs); my $sig = encode_base64(signString(decode_base64($secretKey), $fingerprint), ""); $info .= "Sig: $keyName:$sig\n"; } |