diff options
author | Eelco Dolstra <e.dolstra@tudelft.nl> | 2007-02-21T17·51+0000 |
---|---|---|
committer | Eelco Dolstra <e.dolstra@tudelft.nl> | 2007-02-21T17·51+0000 |
commit | 65f195f4c7eec4f0880e7c3953aa5e78eeffbebf (patch) | |
tree | ca768a2e6cd5123071d6da35e934eed6049406fd /src/libstore/local-store.cc | |
parent | bdadb98de8fcd5ed99cca97071741e2775f3ada2 (diff) |
* Check that the file containing the secret key is secret.
Diffstat (limited to 'src/libstore/local-store.cc')
-rw-r--r-- | src/libstore/local-store.cc | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc index ab1f4682ca48..c91368865309 100644 --- a/src/libstore/local-store.cc +++ b/src/libstore/local-store.cc @@ -718,6 +718,16 @@ struct HashAndWriteSink : Sink #define EXPORT_MAGIC 0x4558494e +static void checkSecrecy(const Path & path) +{ + struct stat st; + if (stat(path.c_str(), &st)) + throw SysError(format("getting status of `%1%'") % path); + if ((st.st_mode & (S_IRWXG | S_IRWXO)) != 0) + throw Error(format("file `%1%' should be secret (inaccessible to everybody else)!") % path); +} + + void LocalStore::exportPath(const Path & path, bool sign, Sink & sink) { @@ -756,11 +766,14 @@ void LocalStore::exportPath(const Path & path, bool sign, Path hashFile = tmpDir + "/hash"; writeStringToFile(hashFile, printHash(hash)); + Path secretKey = nixConfDir + "/signing-key.sec"; + checkSecrecy(secretKey); + Strings args; args.push_back("rsautl"); args.push_back("-sign"); args.push_back("-inkey"); - args.push_back(nixConfDir + "/signing-key.sec"); + args.push_back(secretKey); args.push_back("-in"); args.push_back(hashFile); string signature = runProgram("openssl", true, args); |