From f3a5930488e4a25de33d9aacc2e14ae614614b5e Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 4 Feb 2015 17:59:31 +0100 Subject: Sign a subset of the .narinfo We only need to sign the store path, NAR hash and references (the "fingerprint"). Everything else is irrelevant to security. For instance, the compression algorithm or the hash of the compressed NAR don't matter as long as the contents of the uncompressed NAR are correct. (Maybe we should include derivers in the fingerprint, but they're broken and nobody cares about them. Also, it might be nice in the future if .narinfos contained signatures from multiple independent signers. But that's impossible if the deriver is included in the fingerprint, since everybody will tend to have a different deriver for the same store path.) Also renamed the "Signature" field to "Sig" since the format changed in an incompatible way. --- scripts/nix-push.in | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'scripts') diff --git a/scripts/nix-push.in b/scripts/nix-push.in index 0e90ab3c216b..a060ea128fd1 100755 --- a/scripts/nix-push.in +++ b/scripts/nix-push.in @@ -257,8 +257,9 @@ for (my $n = 0; $n < scalar @storePaths2; $n++) { chomp $s; my ($keyName, $secretKey) = split ":", $s; die "invalid secret key file ‘$secretKeyFile’\n" unless defined $keyName && defined $secretKey; - my $sig = encode_base64(signString(decode_base64($secretKey), $info), ""); - $info .= "Signature: 2;$keyName;$sig\n"; + my $fingerprint = fingerprintPath($storePath, $narHash, $refs); + my $sig = encode_base64(signString(decode_base64($secretKey), $fingerprint), ""); + $info .= "Sig: $keyName:$sig\n"; } my $pathHash = substr(basename($storePath), 0, 32); -- cgit 1.4.1