diff options
| author | Eelco Dolstra <edolstra@gmail.com> | 2018-02-05T17·08+0100 |
|---|---|---|
| committer | Eelco Dolstra <edolstra@gmail.com> | 2018-02-05T17·08+0100 |
| commit | bb1d046f5c37a01ee85fc30d4602e8be8213eb84 (patch) | |
| tree | cef64fac8b398fb9cf16ee619b190a5226ceeb92 /src | |
| parent | 2175eee9fec07dea32e07471946d26a242a07760 (diff) | |
Allow substituters to be marked as trusted
This is needed by nixos-install, which uses the Nix store on the installation CD as a substituter. We don't want to disable signature checking entirely because substitutes from cache.nixos.org should still be checked. So now we can pas "local?trusted=1" to mark only the Nix store in /nix as not requiring signatures. Fixes #1819.
Diffstat (limited to 'src')
| -rw-r--r-- | src/libstore/build.cc | 7 | ||||
| -rw-r--r-- | src/libstore/store-api.hh | 2 |
2 files changed, 7 insertions, 2 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc index 5540d57a8670..5be7ce60dab9 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -3684,7 +3684,10 @@ void SubstitutionGoal::tryNext() /* Bail out early if this substituter lacks a valid signature. LocalStore::addToStore() also checks for this, but only after we've downloaded the path. */ - if (worker.store.requireSigs && !info->checkSignatures(worker.store, worker.store.publicKeys)) { + if (worker.store.requireSigs + && !sub->isTrusted + && !info->checkSignatures(worker.store, worker.store.publicKeys)) + { printInfo(format("warning: substituter '%s' does not have a valid signature for path '%s'") % sub->getUri() % storePath); tryNext(); @@ -3752,7 +3755,7 @@ void SubstitutionGoal::tryToRun() PushActivity pact(act.id); copyStorePath(ref<Store>(sub), ref<Store>(worker.store.shared_from_this()), - storePath, repair); + storePath, repair, sub->isTrusted ? NoCheckSigs : CheckSigs); promise.set_value(); } catch (...) { diff --git a/src/libstore/store-api.hh b/src/libstore/store-api.hh index 70f23e1fcaf4..aa83c2ded8c8 100644 --- a/src/libstore/store-api.hh +++ b/src/libstore/store-api.hh @@ -248,6 +248,8 @@ public: const Setting<int> pathInfoCacheSize{this, 65536, "path-info-cache-size", "size of the in-memory store path information cache"}; + const Setting<bool> isTrusted{this, false, "trusted", "whether paths from this store can be used as substitutes even when they lack trusted signatures"}; + protected: struct State |