signed-binary-caches -> require-sigs
Unlike signed-binary-caches (which could only be '*' or ''), require-sigs is a proper Boolean option. The default is true.
This commit is contained in:
parent
d0b88db441
commit
91a1987607
5 changed files with 25 additions and 17 deletions
|
@ -402,12 +402,15 @@ false</literal>.</para>
|
|||
</varlistentry>
|
||||
|
||||
|
||||
<varlistentry><term><literal>signed-binary-caches</literal></term>
|
||||
<varlistentry><term><literal>require-sigs</literal></term>
|
||||
|
||||
<listitem><para>If set to <literal>*</literal> (the default), Nix
|
||||
will only download binaries if they are signed using one of the
|
||||
keys listed in <option>trusted-public-keys</option>. Set to
|
||||
the empty string to disable signature checking.</para></listitem>
|
||||
<listitem><para>If set to <literal>true</literal> (the default),
|
||||
any non-content-addressed path added or copied to the Nix store
|
||||
(e.g. when substituting from a binary cache) must have a valid
|
||||
signature, that is, be signed using one of the keys listed in
|
||||
<option>trusted-public-keys</option>. Set to
|
||||
<literal>false</literal> to disable signature
|
||||
checking.</para></listitem>
|
||||
|
||||
</varlistentry>
|
||||
|
||||
|
|
|
@ -281,6 +281,11 @@ public:
|
|||
Setting<std::string> signedBinaryCaches{this, "*", "signed-binary-caches",
|
||||
"Obsolete."};
|
||||
|
||||
Setting<bool> requireSigs{this, signedBinaryCaches == "*", "require-sigs",
|
||||
"Whether to check that any non-content-addressed path added to the "
|
||||
"Nix store has a valid signature (that is, one signed using a key "
|
||||
"listed in 'trusted-public-keys'."};
|
||||
|
||||
Setting<Strings> substituters{this,
|
||||
nixStore == "/nix/store" ? Strings{"https://cache.nixos.org/"} : Strings(),
|
||||
"substituters",
|
||||
|
|
|
@ -97,7 +97,7 @@ public:
|
|||
private:
|
||||
|
||||
Setting<bool> requireSigs{(Store*) this,
|
||||
settings.signedBinaryCaches != "", // FIXME
|
||||
settings.requireSigs,
|
||||
"require-sigs", "whether store paths should have a trusted signature on import"};
|
||||
|
||||
PublicKeys publicKeys;
|
||||
|
|
|
@ -18,7 +18,7 @@ basicTests() {
|
|||
|
||||
nix-env --option binary-caches "file://$cacheDir" -f dependencies.nix -qas \* | grep -- "---"
|
||||
|
||||
nix-store --option binary-caches "file://$cacheDir" --option signed-binary-caches '' -r $outPath
|
||||
nix-store --option binary-caches "file://$cacheDir" --no-require-sigs -r $outPath
|
||||
|
||||
[ -x $outPath/program ]
|
||||
|
||||
|
@ -34,7 +34,7 @@ basicTests() {
|
|||
x=$(nix-env -f dependencies.nix -qas \* --prebuilt-only)
|
||||
[ -z "$x" ]
|
||||
|
||||
nix-store --option binary-caches "file://$cacheDir" --option signed-binary-caches '' -r $outPath
|
||||
nix-store --option binary-caches "file://$cacheDir" --no-require-sigs -r $outPath
|
||||
|
||||
nix-store --check-validity $outPath
|
||||
nix-store -qR $outPath | grep input-2
|
||||
|
@ -63,7 +63,7 @@ mv $nar $nar.good
|
|||
mkdir -p $TEST_ROOT/empty
|
||||
nix-store --dump $TEST_ROOT/empty | xz > $nar
|
||||
|
||||
nix-build --option binary-caches "file://$cacheDir" --option signed-binary-caches '' dependencies.nix -o $TEST_ROOT/result 2>&1 | tee $TEST_ROOT/log
|
||||
nix-build --option binary-caches "file://$cacheDir" --no-require-sigs dependencies.nix -o $TEST_ROOT/result 2>&1 | tee $TEST_ROOT/log
|
||||
grep -q "hash mismatch" $TEST_ROOT/log
|
||||
|
||||
mv $nar.good $nar
|
||||
|
@ -99,7 +99,7 @@ clearStore
|
|||
|
||||
rm $(grep -l "StorePath:.*dependencies-input-2" $cacheDir/*.narinfo)
|
||||
|
||||
nix-build --option binary-caches "file://$cacheDir" --option signed-binary-caches '' dependencies.nix -o $TEST_ROOT/result 2>&1 | tee $TEST_ROOT/log
|
||||
nix-build --option binary-caches "file://$cacheDir" --no-require-sigs dependencies.nix -o $TEST_ROOT/result 2>&1 | tee $TEST_ROOT/log
|
||||
grep -q "copying path" $TEST_ROOT/log
|
||||
|
||||
|
||||
|
@ -124,18 +124,18 @@ nix copy --to file://$cacheDir?secret-key=$TEST_ROOT/sk1 $outPath
|
|||
clearStore
|
||||
clearCacheCache
|
||||
|
||||
(! nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' )
|
||||
(! nix-store -r $outPath --option binary-caches "file://$cacheDir")
|
||||
|
||||
|
||||
# And it should fail if we provide an incorrect key.
|
||||
clearStore
|
||||
clearCacheCache
|
||||
|
||||
(! nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' --option trusted-public-keys "$badKey")
|
||||
(! nix-store -r $outPath --option binary-caches "file://$cacheDir" --option trusted-public-keys "$badKey")
|
||||
|
||||
|
||||
# It should succeed if we provide the correct key.
|
||||
nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' --option trusted-public-keys "$otherKey $publicKey"
|
||||
nix-store -r $outPath --option binary-caches "file://$cacheDir" --option trusted-public-keys "$otherKey $publicKey"
|
||||
|
||||
|
||||
# It should fail if we corrupt the .narinfo.
|
||||
|
@ -152,10 +152,10 @@ done
|
|||
|
||||
clearCacheCache
|
||||
|
||||
(! nix-store -r $outPath --option binary-caches "file://$cacheDir2" --option signed-binary-caches '*' --option trusted-public-keys "$publicKey")
|
||||
(! nix-store -r $outPath --option binary-caches "file://$cacheDir2" --option trusted-public-keys "$publicKey")
|
||||
|
||||
# If we provide a bad and a good binary cache, it should succeed.
|
||||
|
||||
nix-store -r $outPath --option binary-caches "file://$cacheDir2 file://$cacheDir" --option signed-binary-caches '*' --option trusted-public-keys "$publicKey"
|
||||
nix-store -r $outPath --option binary-caches "file://$cacheDir2 file://$cacheDir" --option trusted-public-keys "$publicKey"
|
||||
|
||||
fi # HAVE_LIBSODIUM
|
||||
|
|
|
@ -51,7 +51,7 @@ nix copy --to file://$cacheDir $path
|
|||
chmod u+w $path2
|
||||
rm -rf $path2
|
||||
|
||||
nix-store --verify --check-contents --repair --option binary-caches "file://$cacheDir" --option signed-binary-caches ''
|
||||
nix-store --verify --check-contents --repair --option binary-caches "file://$cacheDir" --no-require-sigs
|
||||
|
||||
if [ "$(nix-hash $path2)" != "$hash" -o -e $path2/bad ]; then
|
||||
echo "path not repaired properly" >&2
|
||||
|
@ -69,7 +69,7 @@ if nix-store --verify-path $path2; then
|
|||
exit 1
|
||||
fi
|
||||
|
||||
nix-store --repair-path $path2 --option binary-caches "file://$cacheDir" --option signed-binary-caches ''
|
||||
nix-store --repair-path $path2 --option binary-caches "file://$cacheDir" --no-require-sigs
|
||||
|
||||
if [ "$(nix-hash $path2)" != "$hash" -o -e $path2/bad ]; then
|
||||
echo "path not repaired properly" >&2
|
||||
|
|
Loading…
Reference in a new issue