diff options
| -rw-r--r-- | doc/manual/command-ref/conf-file.xml | 7 | ||||
| -rw-r--r-- | tests/binary-cache.sh | 10 | ||||
| -rw-r--r-- | tests/repair.sh | 4 |
3 files changed, 11 insertions, 10 deletions
diff --git a/doc/manual/command-ref/conf-file.xml b/doc/manual/command-ref/conf-file.xml index 3bd133918f45..6952829e8f71 100644 --- a/doc/manual/command-ref/conf-file.xml +++ b/doc/manual/command-ref/conf-file.xml @@ -394,9 +394,10 @@ flag, e.g. <literal>--option gc-keep-outputs false</literal>.</para> <varlistentry><term><literal>signed-binary-caches</literal></term> - <listitem><para>If set to <literal>*</literal>, Nix will only - download binaries if they are signed using one of the keys listed - in <option>binary-cache-public-keys</option>.</para></listitem> + <listitem><para>If set to <literal>*</literal> (the default), Nix + will only download binaries if they are signed using one of the + keys listed in <option>binary-cache-public-keys</option>. Set to + the empty string to disable signature checking.</para></listitem> </varlistentry> diff --git a/tests/binary-cache.sh b/tests/binary-cache.sh index 4ce428f643e5..532099d02142 100644 --- a/tests/binary-cache.sh +++ b/tests/binary-cache.sh @@ -18,7 +18,7 @@ basicTests() { nix-env --option binary-caches "file://$cacheDir" -f dependencies.nix -qas \* | grep -- "---" - nix-store --option binary-caches "file://$cacheDir" -r $outPath + nix-store --option binary-caches "file://$cacheDir" --option signed-binary-caches '' -r $outPath [ -x $outPath/program ] @@ -34,7 +34,7 @@ basicTests() { x=$(nix-env -f dependencies.nix -qas \* --prebuilt-only) [ -z "$x" ] - nix-store --option binary-caches "file://$cacheDir" -r $outPath + nix-store --option binary-caches "file://$cacheDir" --option signed-binary-caches '' -r $outPath nix-store --check-validity $outPath nix-store -qR $outPath | grep input-2 @@ -63,7 +63,7 @@ mv $nar $nar.good mkdir -p $TEST_ROOT/empty nix-store --dump $TEST_ROOT/empty | xz > $nar -nix-build --option binary-caches "file://$cacheDir" dependencies.nix -o $TEST_ROOT/result 2>&1 | tee $TEST_ROOT/log +nix-build --option binary-caches "file://$cacheDir" --option signed-binary-caches '' dependencies.nix -o $TEST_ROOT/result 2>&1 | tee $TEST_ROOT/log grep -q "hash mismatch" $TEST_ROOT/log mv $nar.good $nar @@ -73,7 +73,7 @@ mv $nar.good $nar clearStore clearCacheCache -if nix-store --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' -r $outPath; then +if nix-store --option binary-caches "file://$cacheDir" -r $outPath; then echo "unsigned binary cache incorrectly accepted" exit 1 fi @@ -99,7 +99,7 @@ clearStore rm $(grep -l "StorePath:.*dependencies-input-2" $cacheDir/*.narinfo) -nix-build --option binary-caches "file://$cacheDir" dependencies.nix -o $TEST_ROOT/result 2>&1 | tee $TEST_ROOT/log +nix-build --option binary-caches "file://$cacheDir" --option signed-binary-caches '' dependencies.nix -o $TEST_ROOT/result 2>&1 | tee $TEST_ROOT/log grep -q "fetching path" $TEST_ROOT/log diff --git a/tests/repair.sh b/tests/repair.sh index 782838704da7..57152d450a17 100644 --- a/tests/repair.sh +++ b/tests/repair.sh @@ -51,7 +51,7 @@ nix copy --recursive --to file://$cacheDir $path chmod u+w $path2 rm -rf $path2 -nix-store --verify --check-contents --repair --option binary-caches "file://$cacheDir" +nix-store --verify --check-contents --repair --option binary-caches "file://$cacheDir" --option signed-binary-caches '' if [ "$(nix-hash $path2)" != "$hash" -o -e $path2/bad ]; then echo "path not repaired properly" >&2 @@ -69,7 +69,7 @@ if nix-store --verify-path $path2; then exit 1 fi -nix-store --repair-path $path2 --option binary-caches "file://$cacheDir" +nix-store --repair-path $path2 --option binary-caches "file://$cacheDir" --option signed-binary-caches '' if [ "$(nix-hash $path2)" != "$hash" -o -e $path2/bad ]; then echo "path not repaired properly" >&2 |