diff options
| author | Vincent Ambo <mail@tazj.in> | 2022-05-18T15·39+0200 |
|---|---|---|
| committer | clbot <clbot@tvl.fyi> | 2022-05-19T14·08+0000 |
| commit | d127f9bd0e7b9b2e0df2de8a2227f77c0907468d (patch) | |
| tree | 68455040d88b8e0c2817601db88ede450873ff8e /third_party/nix/tests/signing.sh | |
| parent | c85291c602ac666421627d6934ebc6d5be1b93e1 (diff) | |
chore(3p/nix): unvendor tvix 0.1 r/4098
Nothing is using this now, and we'll likely never pick this up again, but we learned a lot in the process. Every now and then this breaks in some bizarre way on channel bumps and it's just a waste of time to maintain that. Change-Id: Idcf2f5acd4ca7070ce18d7149cbfc0d967dc0a44 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5632 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: lukegb <lukegb@tvl.fyi> Autosubmit: tazjin <tazjin@tvl.su>
Diffstat (limited to 'third_party/nix/tests/signing.sh')
| -rw-r--r-- | third_party/nix/tests/signing.sh | 105 |
1 files changed, 0 insertions, 105 deletions
diff --git a/third_party/nix/tests/signing.sh b/third_party/nix/tests/signing.sh deleted file mode 100644 index 9e29e3fbf063..000000000000 --- a/third_party/nix/tests/signing.sh +++ /dev/null @@ -1,105 +0,0 @@ -source common.sh - -clearStore -clearCache - -nix-store --generate-binary-cache-key cache1.example.org $TEST_ROOT/sk1 $TEST_ROOT/pk1 -pk1=$(cat $TEST_ROOT/pk1) -nix-store --generate-binary-cache-key cache2.example.org $TEST_ROOT/sk2 $TEST_ROOT/pk2 -pk2=$(cat $TEST_ROOT/pk2) - -# Build a path. -outPath=$(nix-build dependencies.nix --no-out-link --secret-key-files "$TEST_ROOT/sk1 $TEST_ROOT/sk2") - -# Verify that the path got signed. -info=$(nix path-info --json $outPath) -[[ $info =~ '"ultimate":true' ]] -[[ $info =~ 'cache1.example.org' ]] -[[ $info =~ 'cache2.example.org' ]] - -# Test "nix verify". -nix verify -r $outPath - -expect 2 nix verify -r $outPath --sigs-needed 1 - -nix verify -r $outPath --sigs-needed 1 --trusted-public-keys $pk1 - -expect 2 nix verify -r $outPath --sigs-needed 2 --trusted-public-keys $pk1 - -nix verify -r $outPath --sigs-needed 2 --trusted-public-keys "$pk1 $pk2" - -nix verify --all --sigs-needed 2 --trusted-public-keys "$pk1 $pk2" - -# Build something unsigned. -outPath2=$(nix-build simple.nix --no-out-link) - -nix verify -r $outPath - -# Verify that the path did not get signed but does have the ultimate bit. -info=$(nix path-info --json $outPath2) -[[ $info =~ '"ultimate":true' ]] -(! [[ $info =~ 'signatures' ]]) - -# Test "nix verify". -nix verify -r $outPath2 - -expect 2 nix verify -r $outPath2 --sigs-needed 1 - -expect 2 nix verify -r $outPath2 --sigs-needed 1 --trusted-public-keys $pk1 - -# Test "nix sign-paths". -nix sign-paths --key-file $TEST_ROOT/sk1 $outPath2 - -nix verify -r $outPath2 --sigs-needed 1 --trusted-public-keys $pk1 - -# Build something content-addressed. -outPathCA=$(IMPURE_VAR1=foo IMPURE_VAR2=bar nix-build ./fixed.nix -A good.0 --no-out-link) - -[[ $(nix path-info --json $outPathCA) =~ '"ca":"fixed:md5:' ]] - -# Content-addressed paths don't need signatures, so they verify -# regardless of --sigs-needed. -nix verify $outPathCA -nix verify $outPathCA --sigs-needed 1000 - -# Check that signing a content-addressed path doesn't overflow validSigs -nix sign-paths --key-file $TEST_ROOT/sk1 $outPathCA -nix verify -r $outPathCA --sigs-needed 1000 --trusted-public-keys $pk1 - -# Copy to a binary cache. -nix copy --to file://$cacheDir $outPath2 - -# Verify that signatures got copied. -info=$(nix path-info --store file://$cacheDir --json $outPath2) -(! [[ $info =~ '"ultimate":true' ]]) -[[ $info =~ 'cache1.example.org' ]] -(! [[ $info =~ 'cache2.example.org' ]]) - -# Verify that adding a signature to a path in a binary cache works. -nix sign-paths --store file://$cacheDir --key-file $TEST_ROOT/sk2 $outPath2 -info=$(nix path-info --store file://$cacheDir --json $outPath2) -[[ $info =~ 'cache1.example.org' ]] -[[ $info =~ 'cache2.example.org' ]] - -# Copying to a diverted store should fail due to a lack of valid signatures. -chmod -R u+w $TEST_ROOT/store0 || true -rm -rf $TEST_ROOT/store0 -(! nix copy --to $TEST_ROOT/store0 $outPath) - -# But succeed if we supply the public keys. -nix copy --to $TEST_ROOT/store0 $outPath --trusted-public-keys $pk1 - -expect 2 nix verify --store $TEST_ROOT/store0 -r $outPath - -nix verify --store $TEST_ROOT/store0 -r $outPath --trusted-public-keys $pk1 -nix verify --store $TEST_ROOT/store0 -r $outPath --sigs-needed 2 --trusted-public-keys "$pk1 $pk2" - -# It should also succeed if we disable signature checking. -(! nix copy --to $TEST_ROOT/store0 $outPath2) -nix copy --to $TEST_ROOT/store0?require-sigs=false $outPath2 - -# But signatures should still get copied. -nix verify --store $TEST_ROOT/store0 -r $outPath2 --trusted-public-keys $pk1 - -# Content-addressed stuff can be copied without signatures. -nix copy --to $TEST_ROOT/store0 $outPathCA |