about summary refs log tree commit diff
path: root/third_party/nix/tests/signing.sh
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2022-05-18T15·39+0200
committerclbot <clbot@tvl.fyi>2022-05-19T14·08+0000
commitd127f9bd0e7b9b2e0df2de8a2227f77c0907468d (patch)
tree68455040d88b8e0c2817601db88ede450873ff8e /third_party/nix/tests/signing.sh
parentc85291c602ac666421627d6934ebc6d5be1b93e1 (diff)
chore(3p/nix): unvendor tvix 0.1 r/4098
Nothing is using this now, and we'll likely never pick this up again,
but we learned a lot in the process.

Every now and then this breaks in some bizarre way on channel bumps
and it's just a waste of time to maintain that.

Change-Id: Idcf2f5acd4ca7070ce18d7149cbfc0d967dc0a44
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5632
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: lukegb <lukegb@tvl.fyi>
Autosubmit: tazjin <tazjin@tvl.su>
Diffstat (limited to 'third_party/nix/tests/signing.sh')
-rw-r--r--third_party/nix/tests/signing.sh105
1 files changed, 0 insertions, 105 deletions
diff --git a/third_party/nix/tests/signing.sh b/third_party/nix/tests/signing.sh
deleted file mode 100644
index 9e29e3fbf063..000000000000
--- a/third_party/nix/tests/signing.sh
+++ /dev/null
@@ -1,105 +0,0 @@
-source common.sh
-
-clearStore
-clearCache
-
-nix-store --generate-binary-cache-key cache1.example.org $TEST_ROOT/sk1 $TEST_ROOT/pk1
-pk1=$(cat $TEST_ROOT/pk1)
-nix-store --generate-binary-cache-key cache2.example.org $TEST_ROOT/sk2 $TEST_ROOT/pk2
-pk2=$(cat $TEST_ROOT/pk2)
-
-# Build a path.
-outPath=$(nix-build dependencies.nix --no-out-link --secret-key-files "$TEST_ROOT/sk1 $TEST_ROOT/sk2")
-
-# Verify that the path got signed.
-info=$(nix path-info --json $outPath)
-[[ $info =~ '"ultimate":true' ]]
-[[ $info =~ 'cache1.example.org' ]]
-[[ $info =~ 'cache2.example.org' ]]
-
-# Test "nix verify".
-nix verify -r $outPath
-
-expect 2 nix verify -r $outPath --sigs-needed 1
-
-nix verify -r $outPath --sigs-needed 1 --trusted-public-keys $pk1
-
-expect 2 nix verify -r $outPath --sigs-needed 2 --trusted-public-keys $pk1
-
-nix verify -r $outPath --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
-
-nix verify --all --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
-
-# Build something unsigned.
-outPath2=$(nix-build simple.nix --no-out-link)
-
-nix verify -r $outPath
-
-# Verify that the path did not get signed but does have the ultimate bit.
-info=$(nix path-info --json $outPath2)
-[[ $info =~ '"ultimate":true' ]]
-(! [[ $info =~ 'signatures' ]])
-
-# Test "nix verify".
-nix verify -r $outPath2
-
-expect 2 nix verify -r $outPath2 --sigs-needed 1
-
-expect 2 nix verify -r $outPath2 --sigs-needed 1 --trusted-public-keys $pk1
-
-# Test "nix sign-paths".
-nix sign-paths --key-file $TEST_ROOT/sk1 $outPath2
-
-nix verify -r $outPath2 --sigs-needed 1 --trusted-public-keys $pk1
-
-# Build something content-addressed.
-outPathCA=$(IMPURE_VAR1=foo IMPURE_VAR2=bar nix-build ./fixed.nix -A good.0 --no-out-link)
-
-[[ $(nix path-info --json $outPathCA) =~ '"ca":"fixed:md5:' ]]
-
-# Content-addressed paths don't need signatures, so they verify
-# regardless of --sigs-needed.
-nix verify $outPathCA
-nix verify $outPathCA --sigs-needed 1000
-
-# Check that signing a content-addressed path doesn't overflow validSigs
-nix sign-paths --key-file $TEST_ROOT/sk1 $outPathCA
-nix verify -r $outPathCA --sigs-needed 1000 --trusted-public-keys $pk1
-
-# Copy to a binary cache.
-nix copy --to file://$cacheDir $outPath2
-
-# Verify that signatures got copied.
-info=$(nix path-info --store file://$cacheDir --json $outPath2)
-(! [[ $info =~ '"ultimate":true' ]])
-[[ $info =~ 'cache1.example.org' ]]
-(! [[ $info =~ 'cache2.example.org' ]])
-
-# Verify that adding a signature to a path in a binary cache works.
-nix sign-paths --store file://$cacheDir --key-file $TEST_ROOT/sk2 $outPath2
-info=$(nix path-info --store file://$cacheDir --json $outPath2)
-[[ $info =~ 'cache1.example.org' ]]
-[[ $info =~ 'cache2.example.org' ]]
-
-# Copying to a diverted store should fail due to a lack of valid signatures.
-chmod -R u+w $TEST_ROOT/store0 || true
-rm -rf $TEST_ROOT/store0
-(! nix copy --to $TEST_ROOT/store0 $outPath)
-
-# But succeed if we supply the public keys.
-nix copy --to $TEST_ROOT/store0 $outPath --trusted-public-keys $pk1
-
-expect 2 nix verify --store $TEST_ROOT/store0 -r $outPath
-
-nix verify --store $TEST_ROOT/store0 -r $outPath --trusted-public-keys $pk1
-nix verify --store $TEST_ROOT/store0 -r $outPath --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
-
-# It should also succeed if we disable signature checking.
-(! nix copy --to $TEST_ROOT/store0 $outPath2)
-nix copy --to $TEST_ROOT/store0?require-sigs=false $outPath2
-
-# But signatures should still get copied.
-nix verify --store $TEST_ROOT/store0 -r $outPath2 --trusted-public-keys $pk1
-
-# Content-addressed stuff can be copied without signatures.
-nix copy --to $TEST_ROOT/store0 $outPathCA