Allow substituters to be marked as trusted
This is needed by nixos-install, which uses the Nix store on the installation CD as a substituter. We don't want to disable signature checking entirely because substitutes from cache.nixos.org should still be checked. So now we can pas "local?trusted=1" to mark only the Nix store in /nix as not requiring signatures. Fixes #1819.
This commit is contained in:
parent
2175eee9fe
commit
bb1d046f5c
2 changed files with 7 additions and 2 deletions
|
@ -3684,7 +3684,10 @@ void SubstitutionGoal::tryNext()
|
||||||
/* Bail out early if this substituter lacks a valid
|
/* Bail out early if this substituter lacks a valid
|
||||||
signature. LocalStore::addToStore() also checks for this, but
|
signature. LocalStore::addToStore() also checks for this, but
|
||||||
only after we've downloaded the path. */
|
only after we've downloaded the path. */
|
||||||
if (worker.store.requireSigs && !info->checkSignatures(worker.store, worker.store.publicKeys)) {
|
if (worker.store.requireSigs
|
||||||
|
&& !sub->isTrusted
|
||||||
|
&& !info->checkSignatures(worker.store, worker.store.publicKeys))
|
||||||
|
{
|
||||||
printInfo(format("warning: substituter '%s' does not have a valid signature for path '%s'")
|
printInfo(format("warning: substituter '%s' does not have a valid signature for path '%s'")
|
||||||
% sub->getUri() % storePath);
|
% sub->getUri() % storePath);
|
||||||
tryNext();
|
tryNext();
|
||||||
|
@ -3752,7 +3755,7 @@ void SubstitutionGoal::tryToRun()
|
||||||
PushActivity pact(act.id);
|
PushActivity pact(act.id);
|
||||||
|
|
||||||
copyStorePath(ref<Store>(sub), ref<Store>(worker.store.shared_from_this()),
|
copyStorePath(ref<Store>(sub), ref<Store>(worker.store.shared_from_this()),
|
||||||
storePath, repair);
|
storePath, repair, sub->isTrusted ? NoCheckSigs : CheckSigs);
|
||||||
|
|
||||||
promise.set_value();
|
promise.set_value();
|
||||||
} catch (...) {
|
} catch (...) {
|
||||||
|
|
|
@ -248,6 +248,8 @@ public:
|
||||||
|
|
||||||
const Setting<int> pathInfoCacheSize{this, 65536, "path-info-cache-size", "size of the in-memory store path information cache"};
|
const Setting<int> pathInfoCacheSize{this, 65536, "path-info-cache-size", "size of the in-memory store path information cache"};
|
||||||
|
|
||||||
|
const Setting<bool> isTrusted{this, false, "trusted", "whether paths from this store can be used as substitutes even when they lack trusted signatures"};
|
||||||
|
|
||||||
protected:
|
protected:
|
||||||
|
|
||||||
struct State
|
struct State
|
||||||
|
|
Loading…
Reference in a new issue