diff options
-rw-r--r-- | src/libstore/local-store.cc | 44 |
1 files changed, 23 insertions, 21 deletions
diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc index dce2b449eec0..edbe567f4900 100644 --- a/src/libstore/local-store.cc +++ b/src/libstore/local-store.cc @@ -840,27 +840,29 @@ Path LocalStore::importPath(bool requireSignature, Source & source) if (haveSignature) { string signature = readString(hashAndReadSource); - Path sigFile = tmpDir + "/sig"; - writeStringToFile(sigFile, signature); - - Strings args; - args.push_back("rsautl"); - args.push_back("-verify"); - args.push_back("-inkey"); - args.push_back(nixConfDir + "/signing-key.pub"); - args.push_back("-pubin"); - args.push_back("-in"); - args.push_back(sigFile); - string hash2 = runProgram("openssl", true, args); - - /* Note: runProgram() throws an exception if the signature is - invalid. */ - - if (printHash(hash) != hash2) - throw Error( - "signed hash doesn't match actual contents of imported " - "archive; archive could be corrupt, or someone is trying " - "to import a Trojan horse"); + if (requireSignature) { + Path sigFile = tmpDir + "/sig"; + writeStringToFile(sigFile, signature); + + Strings args; + args.push_back("rsautl"); + args.push_back("-verify"); + args.push_back("-inkey"); + args.push_back(nixConfDir + "/signing-key.pub"); + args.push_back("-pubin"); + args.push_back("-in"); + args.push_back(sigFile); + string hash2 = runProgram("openssl", true, args); + + /* Note: runProgram() throws an exception if the signature + is invalid. */ + + if (printHash(hash) != hash2) + throw Error( + "signed hash doesn't match actual contents of imported " + "archive; archive could be corrupt, or someone is trying " + "to import a Trojan horse"); + } } /* Do the actual import. */ |