diff options
author | Eelco Dolstra <e.dolstra@tudelft.nl> | 2007-03-01T12·30+0000 |
---|---|---|
committer | Eelco Dolstra <e.dolstra@tudelft.nl> | 2007-03-01T12·30+0000 |
commit | b4a040e52b607e019515e9339f90a2e5c6c21ad5 (patch) | |
tree | 3f8a53ac66cdab51f6f8314aaba95bcccb5ef011 /src/libstore/local-store.cc | |
parent | 2ea3bebc23b2d13475c00191f6005740fbdc7771 (diff) |
* Don't check the signature unless we have to.
Diffstat (limited to 'src/libstore/local-store.cc')
-rw-r--r-- | src/libstore/local-store.cc | 44 |
1 files changed, 23 insertions, 21 deletions
diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc index dce2b449eec0..edbe567f4900 100644 --- a/src/libstore/local-store.cc +++ b/src/libstore/local-store.cc @@ -840,27 +840,29 @@ Path LocalStore::importPath(bool requireSignature, Source & source) if (haveSignature) { string signature = readString(hashAndReadSource); - Path sigFile = tmpDir + "/sig"; - writeStringToFile(sigFile, signature); - - Strings args; - args.push_back("rsautl"); - args.push_back("-verify"); - args.push_back("-inkey"); - args.push_back(nixConfDir + "/signing-key.pub"); - args.push_back("-pubin"); - args.push_back("-in"); - args.push_back(sigFile); - string hash2 = runProgram("openssl", true, args); - - /* Note: runProgram() throws an exception if the signature is - invalid. */ - - if (printHash(hash) != hash2) - throw Error( - "signed hash doesn't match actual contents of imported " - "archive; archive could be corrupt, or someone is trying " - "to import a Trojan horse"); + if (requireSignature) { + Path sigFile = tmpDir + "/sig"; + writeStringToFile(sigFile, signature); + + Strings args; + args.push_back("rsautl"); + args.push_back("-verify"); + args.push_back("-inkey"); + args.push_back(nixConfDir + "/signing-key.pub"); + args.push_back("-pubin"); + args.push_back("-in"); + args.push_back(sigFile); + string hash2 = runProgram("openssl", true, args); + + /* Note: runProgram() throws an exception if the signature + is invalid. */ + + if (printHash(hash) != hash2) + throw Error( + "signed hash doesn't match actual contents of imported " + "archive; archive could be corrupt, or someone is trying " + "to import a Trojan horse"); + } } /* Do the actual import. */ |