diff options
| -rw-r--r-- | doc/manual/command-ref/conf-file.xml | 10 | ||||
| -rw-r--r-- | src/libstore/crypto.cc | 2 | ||||
| -rw-r--r-- | src/libstore/globals.hh | 7 | ||||
| -rw-r--r-- | tests/binary-cache.sh | 8 | ||||
| -rw-r--r-- | tests/signing.sh | 12 |
5 files changed, 20 insertions, 19 deletions
diff --git a/doc/manual/command-ref/conf-file.xml b/doc/manual/command-ref/conf-file.xml index fb4d8cefc4d2..a28f70899141 100644 --- a/doc/manual/command-ref/conf-file.xml +++ b/doc/manual/command-ref/conf-file.xml @@ -406,17 +406,17 @@ false</literal>.</para> <listitem><para>If set to <literal>*</literal> (the default), Nix will only download binaries if they are signed using one of the - keys listed in <option>binary-cache-public-keys</option>. Set to + keys listed in <option>trusted-public-keys</option>. Set to the empty string to disable signature checking.</para></listitem> </varlistentry> - <varlistentry><term><literal>binary-cache-public-keys</literal></term> + <varlistentry><term><literal>trusted-public-keys</literal></term> - <listitem><para>A whitespace-separated list of public keys - corresponding to the secret keys trusted to sign binary - caches. For example: + <listitem><para>A whitespace-separated list of public keys. When + paths are copied from another Nix store (such as a binary cache), + they must be signed with one of these keys. For example: <literal>cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=</literal>.</para></listitem> diff --git a/src/libstore/crypto.cc b/src/libstore/crypto.cc index f56a6adab9c9..9ec8abd228e9 100644 --- a/src/libstore/crypto.cc +++ b/src/libstore/crypto.cc @@ -105,7 +105,7 @@ PublicKeys getDefaultPublicKeys() // FIXME: filter duplicates - for (auto s : settings.binaryCachePublicKeys.get()) { + for (auto s : settings.trustedPublicKeys.get()) { PublicKey key(s); publicKeys.emplace(key.name, key); } diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index a4aa842d70fd..70c01bb32665 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -259,10 +259,11 @@ public: Setting<bool> enforceDeterminism{this, true, "enforce-determinism", "Whether to fail if repeated builds produce different output."}; - Setting<Strings> binaryCachePublicKeys{this, + Setting<Strings> trustedPublicKeys{this, {"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="}, - "binary-cache-public-keys", - "Trusted public keys for secure substitution."}; + "trusted-public-keys", + "Trusted public keys for secure substitution.", + {"binary-cache-public-keys"}}; Setting<Strings> secretKeyFiles{this, {}, "secret-key-files", "Secret keys with which to sign local builds."}; diff --git a/tests/binary-cache.sh b/tests/binary-cache.sh index 2a044d2edc56..f7c0b2f78916 100644 --- a/tests/binary-cache.sh +++ b/tests/binary-cache.sh @@ -131,11 +131,11 @@ clearCacheCache clearStore clearCacheCache -(! nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' --option binary-cache-public-keys "$badKey") +(! nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' --option trusted-public-keys "$badKey") # It should succeed if we provide the correct key. -nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' --option binary-cache-public-keys "$otherKey $publicKey" +nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' --option trusted-public-keys "$otherKey $publicKey" # It should fail if we corrupt the .narinfo. @@ -152,10 +152,10 @@ done clearCacheCache -(! nix-store -r $outPath --option binary-caches "file://$cacheDir2" --option signed-binary-caches '*' --option binary-cache-public-keys "$publicKey") +(! nix-store -r $outPath --option binary-caches "file://$cacheDir2" --option signed-binary-caches '*' --option trusted-public-keys "$publicKey") # If we provide a bad and a good binary cache, it should succeed. -nix-store -r $outPath --option binary-caches "file://$cacheDir2 file://$cacheDir" --option signed-binary-caches '*' --option binary-cache-public-keys "$publicKey" +nix-store -r $outPath --option binary-caches "file://$cacheDir2 file://$cacheDir" --option signed-binary-caches '*' --option trusted-public-keys "$publicKey" fi # HAVE_LIBSODIUM diff --git a/tests/signing.sh b/tests/signing.sh index bef27ac7a58e..39aaa1e765bb 100644 --- a/tests/signing.sh +++ b/tests/signing.sh @@ -22,13 +22,13 @@ nix verify -r $outPath expect 2 nix verify -r $outPath --sigs-needed 1 -nix verify -r $outPath --sigs-needed 1 --binary-cache-public-keys $pk1 +nix verify -r $outPath --sigs-needed 1 --trusted-public-keys $pk1 -expect 2 nix verify -r $outPath --sigs-needed 2 --binary-cache-public-keys $pk1 +expect 2 nix verify -r $outPath --sigs-needed 2 --trusted-public-keys $pk1 -nix verify -r $outPath --sigs-needed 2 --binary-cache-public-keys "$pk1 $pk2" +nix verify -r $outPath --sigs-needed 2 --trusted-public-keys "$pk1 $pk2" -nix verify --all --sigs-needed 2 --binary-cache-public-keys "$pk1 $pk2" +nix verify --all --sigs-needed 2 --trusted-public-keys "$pk1 $pk2" # Build something unsigned. outPath2=$(nix-build simple.nix --no-out-link) @@ -45,12 +45,12 @@ nix verify -r $outPath2 expect 2 nix verify -r $outPath2 --sigs-needed 1 -expect 2 nix verify -r $outPath2 --sigs-needed 1 --binary-cache-public-keys $pk1 +expect 2 nix verify -r $outPath2 --sigs-needed 1 --trusted-public-keys $pk1 # Test "nix sign-paths". nix sign-paths --key-file $TEST_ROOT/sk1 $outPath2 -nix verify -r $outPath2 --sigs-needed 1 --binary-cache-public-keys $pk1 +nix verify -r $outPath2 --sigs-needed 1 --trusted-public-keys $pk1 # Copy to a binary cache. nix copy --to file://$cacheDir $outPath2 |