From e0def5bc4b41ad09ce3f188bf522814ef3389e1f Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 4 Feb 2015 16:43:32 +0100 Subject: Use libsodium instead of OpenSSL for binary cache signing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sodium's Ed25519 signatures are much shorter than OpenSSL's RSA signatures. Public keys are also much shorter, so they're now specified directly in the nix.conf option ‘binary-cache-public-keys’. The new command ‘nix-store --generate-binary-cache-key’ generates and prints a public and secret key. --- tests/binary-cache.sh | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) (limited to 'tests') diff --git a/tests/binary-cache.sh b/tests/binary-cache.sh index 6f0c36f6300f..b0e7f63ae0b6 100644 --- a/tests/binary-cache.sh +++ b/tests/binary-cache.sh @@ -87,3 +87,53 @@ rm $(grep -l "StorePath:.*dependencies-input-2" $cacheDir/*.narinfo) nix-build --option binary-caches "file://$cacheDir" dependencies.nix -o $TEST_ROOT/result 2>&1 | tee $TEST_ROOT/log grep -q "Downloading" $TEST_ROOT/log + + +# Create a signed binary cache. +clearCache + +declare -a res=($(nix-store --generate-binary-cache-key test.nixos.org-1)) +publicKey="${res[0]}" +secretKey="${res[1]}" +echo "$secretKey" > $TEST_ROOT/secret-key + +res=($(nix-store --generate-binary-cache-key test.nixos.org-1)) +badKey="${res[0]}" + +res=($(nix-store --generate-binary-cache-key foo.nixos.org-1)) +otherKey="${res[0]}" + +nix-push --dest $cacheDir --key-file $TEST_ROOT/secret-key $outPath + + +# Downloading should fail if we don't provide a key. +clearStore + +rm -f $NIX_STATE_DIR/binary-cache* + +(! nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' ) + + +# And it should fail if we provide an incorrect key. +clearStore + +rm -f $NIX_STATE_DIR/binary-cache* + +(! nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' --option binary-cache-public-keys "$badKey") + + +# It should succeed if we provide the correct key. +nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' --option binary-cache-public-keys "$otherKey $publicKey" + + +# It should fail if we corrupt the .narinfo. +clearStore + +for i in $cacheDir/*.narinfo; do + grep -v References $i > $i.tmp + mv $i.tmp $i +done + +rm -f $NIX_STATE_DIR/binary-cache* + +(! nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' --option binary-cache-public-keys "$publicKey") -- cgit 1.4.1