feat(tvix/store): Add CAHash validation r/8963

Validation is done inside ingest_nar_and_hash and
is used by Fetch::NAR and the nar-bridge.

Change-Id: I7e2be4cc13d2447035f1e5a444f44b62339988bf
Reviewed-on: https://cl.tvl.fyi/c/depot/+/12836
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>

1 files changed, 12 insertions, 8 deletions

diff --git a/tvix/nar-bridge/src/nar.rs b/tvix/nar-bridge/src/nar.rs
index f9b50fd6bc42..c351c9e4bdda 100644
--- a/tvix/nar-bridge/src/nar.rs
+++ b/tvix/nar-bridge/src/nar.rs
@@ -173,14 +173,18 @@ pub async fn put(
     }));
 
     // ingest the NAR
-    let (root_node, nar_hash_actual, nar_size) =
-        ingest_nar_and_hash(blob_service.clone(), directory_service.clone(), &mut r)
-            .await
-            .map_err(|e| io::Error::new(io::ErrorKind::Other, e))
-            .map_err(|e| {
-                warn!(err=%e, "failed to ingest nar");
-                StatusCode::INTERNAL_SERVER_ERROR
-            })?;
+    let (root_node, nar_hash_actual, nar_size) = ingest_nar_and_hash(
+        blob_service.clone(),
+        directory_service.clone(),
+        &mut r,
+        &None,
+    )
+    .await
+    .map_err(io::Error::other)
+    .map_err(|e| {
+        warn!(err=%e, "failed to ingest nar");
+        StatusCode::INTERNAL_SERVER_ERROR
+    })?;
 
     let s = Span::current();
     s.record("nar_hash.expected", nixbase32::encode(&nar_hash_expected));