Sign locally-built paths

Locally-built paths are now signed automatically using the secret keys
specified by the ‘secret-key-files’ option.

1 files changed, 15 insertions, 1 deletions

diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc
index 28e340af7a5e..713ff49be6cf 100644
--- a/src/libstore/local-store.cc
+++ b/src/libstore/local-store.cc
@@ -310,7 +310,7 @@ void LocalStore::openDB(bool create)
 
     /* Prepare SQL statements. */
     stmtRegisterValidPath.create(db,
-        "insert into ValidPaths (path, hash, registrationTime, deriver, narSize, ultimate) values (?, ?, ?, ?, ?, ?);");
+        "insert into ValidPaths (path, hash, registrationTime, deriver, narSize, ultimate, sigs) values (?, ?, ?, ?, ?, ?, ?);");
     stmtUpdatePathInfo.create(db,
         "update ValidPaths set narSize = ?, hash = ?, ultimate = ?, sigs = ? where path = ?;");
     stmtAddReference.create(db,
@@ -547,6 +547,7 @@ uint64_t LocalStore::addValidPath(const ValidPathInfo & info, bool checkOutputs)
         (info.deriver, info.deriver != "")
         (info.narSize, info.narSize != 0)
         (info.ultimate ? 1 : 0, info.ultimate)
+        (concatStringsSep(" ", info.sigs), !info.sigs.empty())
         .exec();
     uint64_t id = sqlite3_last_insert_rowid(db);
 
@@ -1710,4 +1711,17 @@ void LocalStore::addSignatures(const Path & storePath, const StringSet & sigs)
 }
 
 
+void LocalStore::signPathInfo(ValidPathInfo & info)
+{
+    // FIXME: keep secret keys in memory.
+
+    auto secretKeyFiles = settings.get("secret-key-files", Strings());
+
+    for (auto & secretKeyFile : secretKeyFiles) {
+        SecretKey secretKey(readFile(secretKeyFile));
+        info.sign(secretKey);
+    }
+}
+
+
 }