about summary refs log tree commit diff
path: root/scripts
diff options
context:
space:
mode:
Diffstat (limited to 'scripts')
-rw-r--r--scripts/download-from-binary-cache.pl.in4
-rwxr-xr-xscripts/nix-build.in13
-rwxr-xr-xscripts/nix-push.in2
3 files changed, 15 insertions, 4 deletions
diff --git a/scripts/download-from-binary-cache.pl.in b/scripts/download-from-binary-cache.pl.in
index 4655f9ac9a0e..bb63eafca522 100644
--- a/scripts/download-from-binary-cache.pl.in
+++ b/scripts/download-from-binary-cache.pl.in
@@ -54,6 +54,10 @@ sub isTrue {
     return $x eq "true" || $x eq "1";
 }
 
+# FIXME: this should be cache URLs required to have valid signatures,
+# or "*" to require signatures on all binary caches.
+# FIXME: should binary caches using a key in
+# ‘binary-cache-public-keys’ be trusted by default?
 my $requireSignedBinaryCaches = ($Nix::Config::config{"signed-binary-caches"} // "0") ne "0";
 
 my $curlConnectTimeout = int(
diff --git a/scripts/nix-build.in b/scripts/nix-build.in
index 7e1f28870309..19de6feb6080 100755
--- a/scripts/nix-build.in
+++ b/scripts/nix-build.in
@@ -30,6 +30,7 @@ my $myName = $runEnv ? "nix-shell" : "nix-build";
 
 my $inShebang = 0;
 my $script;
+my @savedArgs;
 
 my $tmpDir = mkTempDir($myName);
 
@@ -43,13 +44,14 @@ $SIG{'INT'} = sub { exit 1 };
 # Heuristic to see if we're invoked as a shebang script, namely, if we
 # have a single argument, it's the name of an executable file, and it
 # starts with "#!".
-if ($runEnv && scalar @ARGV == 1) {
+if ($runEnv && $ARGV[0] !~ /nix-shell/) {
     $script = $ARGV[0];
     if (-f $script && -x $script) {
         open SCRIPT, "<$script" or die "$0: cannot open ‘$script’: $!\n";
         my $first = <SCRIPT>;
         if ($first =~ /^\#\!/) {
             $inShebang = 1;
+            @savedArgs = @ARGV; shift @savedArgs;
             @ARGV = ();
             while (<SCRIPT>) {
                 chomp;
@@ -193,7 +195,12 @@ for (my $n = 0; $n < scalar @ARGV; $n++) {
         # or (undocumented) argv[0] does not contain "perl". Exploit
         # the latter by doing "exec -a".
         my $execArgs = $interpreter =~ /perl/ ? "-a PERL" : "";
-        $envCommand = "exec $execArgs $interpreter $script";
+        sub shellEscape {
+            my $s = $_;
+            $s =~ s/'/'\\''/g;
+            return "'" . $s . "'";
+        }
+        $envCommand = "exec $execArgs $interpreter $script ${\(join ' ', (map shellEscape, @savedArgs))}";
     }
 
     elsif (substr($arg, 0, 1) eq "-") {
@@ -231,7 +238,7 @@ foreach my $expr (@exprs) {
         # If we're in a #! script, interpret filenames relative to the
         # script.
         $expr = dirname(Cwd::abs_path($script)) . "/" . $expr
-            if $inShebang && $expr !~ /^\//;
+            if $inShebang && !$packages && $expr !~ /^\//;
 
         # !!! would prefer the perl 5.8.0 pipe open feature here.
         my $pid = open(DRVPATHS, "-|") || exec "$Nix::Config::binDir/nix-instantiate", "--add-root", $drvLink, "--indirect", @instArgs, $expr;
diff --git a/scripts/nix-push.in b/scripts/nix-push.in
index a060ea128fd1..d5d3bc1e7e79 100755
--- a/scripts/nix-push.in
+++ b/scripts/nix-push.in
@@ -257,7 +257,7 @@ for (my $n = 0; $n < scalar @storePaths2; $n++) {
         chomp $s;
         my ($keyName, $secretKey) = split ":", $s;
         die "invalid secret key file ‘$secretKeyFile’\n" unless defined $keyName && defined $secretKey;
-        my $fingerprint = fingerprintPath($storePath, $narHash, $refs);
+        my $fingerprint = fingerprintPath($storePath, $narHash, $narSize, $refs);
         my $sig = encode_base64(signString(decode_base64($secretKey), $fingerprint), "");
         $info .= "Sig: $keyName:$sig\n";
     }
generated by cgit-pink 1.4.1 (git 2.44.2) at 2024-08-13T09·04+0000