diff options
| -rw-r--r-- | src/libstore/binary-cache-store.cc | 4 | ||||
| -rw-r--r-- | src/libstore/nar-info.cc | 14 | ||||
| -rw-r--r-- | src/libstore/nar-info.hh | 7 | ||||
| -rw-r--r-- | src/libstore/store-api.hh | 7 |
4 files changed, 21 insertions, 11 deletions
diff --git a/src/libstore/binary-cache-store.cc b/src/libstore/binary-cache-store.cc index de456752bd..e6b68d486b 100644 --- a/src/libstore/binary-cache-store.cc +++ b/src/libstore/binary-cache-store.cc @@ -126,8 +126,8 @@ NarInfo BinaryCacheStore::readNarInfo(const Path & storePath) stats.narInfoRead++; if (publicKeys) { - if (!narInfo->checkSignature(*publicKeys)) - throw Error(format("invalid signature on NAR info file ‘%1%’") % narInfoFile); + if (!narInfo->checkSignatures(*publicKeys)) + throw Error(format("no good signature on NAR info file ‘%1%’") % narInfoFile); } { diff --git a/src/libstore/nar-info.cc b/src/libstore/nar-info.cc index e9260a09bf..9028370ac7 100644 --- a/src/libstore/nar-info.cc +++ b/src/libstore/nar-info.cc @@ -66,7 +66,7 @@ NarInfo::NarInfo(const std::string & s, const std::string & whence) else if (name == "System") system = value; else if (name == "Sig") - sig = value; + sigs.insert(value); pos = eol + 1; } @@ -98,7 +98,7 @@ std::string NarInfo::to_string() const if (!system.empty()) res += "System: " + system + "\n"; - if (!sig.empty()) + for (auto sig : sigs) res += "Sig: " + sig + "\n"; return res; @@ -123,12 +123,16 @@ Strings NarInfo::shortRefs() const void NarInfo::sign(const SecretKey & secretKey) { - sig = secretKey.signDetached(fingerprint()); + sigs.insert(secretKey.signDetached(fingerprint())); } -bool NarInfo::checkSignature(const PublicKeys & publicKeys) const +unsigned int NarInfo::checkSignatures(const PublicKeys & publicKeys) const { - return sig != "" && verifyDetached(fingerprint(), sig, publicKeys); + unsigned int good = 0; + for (auto & sig : sigs) + if (verifyDetached(fingerprint(), sig, publicKeys)) + good++; + return good; } } diff --git a/src/libstore/nar-info.hh b/src/libstore/nar-info.hh index 22e27cb42e..2d04e45261 100644 --- a/src/libstore/nar-info.hh +++ b/src/libstore/nar-info.hh @@ -13,7 +13,6 @@ struct NarInfo : ValidPathInfo Hash fileHash; uint64_t fileSize = 0; std::string system; - std::string sig; // FIXME: support multiple signatures NarInfo() { } NarInfo(const ValidPathInfo & info) : ValidPathInfo(info) { } @@ -31,9 +30,9 @@ struct NarInfo : ValidPathInfo void sign(const SecretKey & secretKey); - /* Return true iff this .narinfo is signed by one of the specified - keys. */ - bool checkSignature(const PublicKeys & publicKeys) const; + /* Return the number of signatures on this .narinfo that were + produced by one of the specified keys. */ + unsigned int checkSignatures(const PublicKeys & publicKeys) const; private: diff --git a/src/libstore/store-api.hh b/src/libstore/store-api.hh index 9a2c9daca0..1a74401483 100644 --- a/src/libstore/store-api.hh +++ b/src/libstore/store-api.hh @@ -98,6 +98,13 @@ struct ValidPathInfo unsigned long long narSize = 0; // 0 = unknown unsigned long long id; // internal use only + /* Whether the path is ultimately trusted, that is, it was built + locally or is content-addressable (e.g. added via addToStore() + or the result of a fixed-output derivation). */ + bool ultimate = false; + + StringSet sigs; // note: not necessarily verified + bool operator == (const ValidPathInfo & i) const { return |