diff options
| author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2015-02-04T15·43+0100 |
|---|---|---|
| committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2015-02-04T16·10+0100 |
| commit | e0def5bc4b41ad09ce3f188bf522814ef3389e1f (patch) | |
| tree | 70b894e41d8b682a166872d28d720e438aea8dda /tests | |
| parent | 0d1dafa0c4ef8adc27315653df8a170c0cf33985 (diff) | |
Use libsodium instead of OpenSSL for binary cache signing
Sodium's Ed25519 signatures are much shorter than OpenSSL's RSA signatures. Public keys are also much shorter, so they're now specified directly in the nix.conf option ‘binary-cache-public-keys’. The new command ‘nix-store --generate-binary-cache-key’ generates and prints a public and secret key.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/binary-cache.sh | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/tests/binary-cache.sh b/tests/binary-cache.sh index 6f0c36f6300f..b0e7f63ae0b6 100644 --- a/tests/binary-cache.sh +++ b/tests/binary-cache.sh @@ -87,3 +87,53 @@ rm $(grep -l "StorePath:.*dependencies-input-2" $cacheDir/*.narinfo) nix-build --option binary-caches "file://$cacheDir" dependencies.nix -o $TEST_ROOT/result 2>&1 | tee $TEST_ROOT/log grep -q "Downloading" $TEST_ROOT/log + + +# Create a signed binary cache. +clearCache + +declare -a res=($(nix-store --generate-binary-cache-key test.nixos.org-1)) +publicKey="${res[0]}" +secretKey="${res[1]}" +echo "$secretKey" > $TEST_ROOT/secret-key + +res=($(nix-store --generate-binary-cache-key test.nixos.org-1)) +badKey="${res[0]}" + +res=($(nix-store --generate-binary-cache-key foo.nixos.org-1)) +otherKey="${res[0]}" + +nix-push --dest $cacheDir --key-file $TEST_ROOT/secret-key $outPath + + +# Downloading should fail if we don't provide a key. +clearStore + +rm -f $NIX_STATE_DIR/binary-cache* + +(! nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' ) + + +# And it should fail if we provide an incorrect key. +clearStore + +rm -f $NIX_STATE_DIR/binary-cache* + +(! nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' --option binary-cache-public-keys "$badKey") + + +# It should succeed if we provide the correct key. +nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' --option binary-cache-public-keys "$otherKey $publicKey" + + +# It should fail if we corrupt the .narinfo. +clearStore + +for i in $cacheDir/*.narinfo; do + grep -v References $i > $i.tmp + mv $i.tmp $i +done + +rm -f $NIX_STATE_DIR/binary-cache* + +(! nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' --option binary-cache-public-keys "$publicKey") |