From 73acb8b836affe5dfade9dd6e3339ad2f9191add Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Fri, 27 Jul 2012 12:16:02 -0400 Subject: Let build.cc verify the expected hash of a substituter's output Since SubstitutionGoal::finished() in build.cc computes the hash anyway, we can prevent the inefficiency of computing the hash twice by letting the substituter tell Nix about the expected hash, which can then verify it. --- scripts/download-from-binary-cache.pl.in | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) (limited to 'scripts/download-from-binary-cache.pl.in') diff --git a/scripts/download-from-binary-cache.pl.in b/scripts/download-from-binary-cache.pl.in index 9e1c774a5a7b..823ecd9d9194 100644 --- a/scripts/download-from-binary-cache.pl.in +++ b/scripts/download-from-binary-cache.pl.in @@ -432,13 +432,10 @@ sub downloadBinary { die "download of `$info->{url}' failed" . ($! ? ": $!" : "") . "\n" unless $? == 0; next; } - # The hash in the manifest can be either in base-16 or - # base-32. Handle both. - $info->{narHash} =~ /^sha256:(.*)$/ or die "invalid hash"; - my $hash = $1; - my $hash2 = hashPath("sha256", 1, $storePath); - die "hash mismatch in downloaded path ‘$storePath’; expected $hash, got $hash2\n" - if $hash ne $hash2; + + # Tell Nix about the expected hash so it can verify it. + print "$info->{narHash}\n"; + print STDERR "\n"; return 1; } -- cgit 1.4.1