From 784ee35c80774c5f073b6b8be6ab3d4d7e38e2f1 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Tue, 29 Mar 2016 14:29:50 +0200
Subject: Add "nix verify-paths" command
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Unlike "nix-store --verify-path", this command verifies signatures in
addition to store path contents, is multi-threaded (especially useful
when verifying binary caches), and has a progress indicator.

Example use:

$ nix verify-paths --store https://cache.nixos.org -r $(type -p thunderbird)
...
[17/132 checked] checking ‘/nix/store/rawakphadqrqxr6zri2rmnxh03gqkrl3-autogen-5.18.6’
---
 src/libstore/crypto.cc | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'src/libstore/crypto.cc')

diff --git a/src/libstore/crypto.cc b/src/libstore/crypto.cc
index caba22c1e274..94c582d65ca7 100644
--- a/src/libstore/crypto.cc
+++ b/src/libstore/crypto.cc
@@ -1,5 +1,6 @@
 #include "crypto.hh"
 #include "util.hh"
+#include "globals.hh"
 
 #if HAVE_SODIUM
 #include <sodium.h>
@@ -98,4 +99,15 @@ bool verifyDetached(const std::string & data, const std::string & sig,
 #endif
 }
 
+PublicKeys getDefaultPublicKeys()
+{
+    PublicKeys publicKeys;
+    for (auto s : settings.get("binary-cache-public-keys", Strings())) {
+        PublicKey key(s);
+        publicKeys.emplace(key.name, key);
+        // FIXME: filter duplicates
+    }
+    return publicKeys;
+}
+
 }
-- 
cgit 1.4.1