8d4268d190
Changes:
* The divider lines are gone. These were in practice a bit confusing,
in particular with --show-trace or --keep-going, since then there
were multiple lines, suggesting a start/end which wasn't the case.
* Instead, multi-line error messages are now indented to align with
the prefix (e.g. "error: ").
* The 'description' field is gone since we weren't really using it.
* 'hint' is renamed to 'msg' since it really wasn't a hint.
* The error is now printed *before* the location info.
* The 'name' field is no longer printed since most of the time it
wasn't very useful since it was just the name of the exception (like
EvalError). Ideally in the future this would be a unique, easily
googleable error ID (like rustc).
* "trace:" is now just "…". This assumes error contexts start with
something like "while doing X".
Example before:
error: --- AssertionError ---------------------------------------------------------------------------------------- nix
at: (7:7) in file: /home/eelco/Dev/nixpkgs/pkgs/applications/misc/hello/default.nix
6|
7| x = assert false; 1;
| ^
8|
assertion 'false' failed
----------------------------------------------------- show-trace -----------------------------------------------------
trace: while evaluating the attribute 'x' of the derivation 'hello-2.10'
at: (192:11) in file: /home/eelco/Dev/nixpkgs/pkgs/stdenv/generic/make-derivation.nix
191| // (lib.optionalAttrs (!(attrs ? name) && attrs ? pname && attrs ? version)) {
192| name = "${attrs.pname}-${attrs.version}";
| ^
193| } // (lib.optionalAttrs (stdenv.hostPlatform != stdenv.buildPlatform && !dontAddHostSuffix && (attrs ? name || (attrs ? pname && attrs ? version)))) {
Example after:
error: assertion 'false' failed
at: (7:7) in file: /home/eelco/Dev/nixpkgs/pkgs/applications/misc/hello/default.nix
6|
7| x = assert false; 1;
| ^
8|
… while evaluating the attribute 'x' of the derivation 'hello-2.10'
at: (192:11) in file: /home/eelco/Dev/nixpkgs/pkgs/stdenv/generic/make-derivation.nix
191| // (lib.optionalAttrs (!(attrs ? name) && attrs ? pname && attrs ? version)) {
192| name = "${attrs.pname}-${attrs.version}";
| ^
193| } // (lib.optionalAttrs (stdenv.hostPlatform != stdenv.buildPlatform && !dontAddHostSuffix && (attrs ? name || (attrs ? pname && attrs ? version)))) {
182 lines
5.9 KiB
C++
182 lines
5.9 KiB
C++
#include "command.hh"
|
|
#include "shared.hh"
|
|
#include "store-api.hh"
|
|
#include "sync.hh"
|
|
#include "thread-pool.hh"
|
|
#include "references.hh"
|
|
|
|
#include <atomic>
|
|
|
|
using namespace nix;
|
|
|
|
struct CmdVerify : StorePathsCommand
|
|
{
|
|
bool noContents = false;
|
|
bool noTrust = false;
|
|
Strings substituterUris;
|
|
size_t sigsNeeded = 0;
|
|
|
|
CmdVerify()
|
|
{
|
|
mkFlag(0, "no-contents", "Do not verify the contents of each store path.", &noContents);
|
|
mkFlag(0, "no-trust", "Do not verify whether each store path is trusted.", &noTrust);
|
|
|
|
addFlag({
|
|
.longName = "substituter",
|
|
.shortName = 's',
|
|
.description = "Use signatures from the specified store.",
|
|
.labels = {"store-uri"},
|
|
.handler = {[&](std::string s) { substituterUris.push_back(s); }}
|
|
});
|
|
|
|
addFlag({
|
|
.longName = "sigs-needed",
|
|
.shortName = 'n',
|
|
.description = "Require that each path has at least *n* valid signatures.",
|
|
.labels = {"n"},
|
|
.handler = {&sigsNeeded}
|
|
});
|
|
}
|
|
|
|
std::string description() override
|
|
{
|
|
return "verify the integrity of store paths";
|
|
}
|
|
|
|
std::string doc() override
|
|
{
|
|
return
|
|
#include "verify.md"
|
|
;
|
|
}
|
|
|
|
void run(ref<Store> store, StorePaths storePaths) override
|
|
{
|
|
std::vector<ref<Store>> substituters;
|
|
for (auto & s : substituterUris)
|
|
substituters.push_back(openStore(s));
|
|
|
|
auto publicKeys = getDefaultPublicKeys();
|
|
|
|
Activity act(*logger, actVerifyPaths);
|
|
|
|
std::atomic<size_t> done{0};
|
|
std::atomic<size_t> untrusted{0};
|
|
std::atomic<size_t> corrupted{0};
|
|
std::atomic<size_t> failed{0};
|
|
std::atomic<size_t> active{0};
|
|
|
|
auto update = [&]() {
|
|
act.progress(done, storePaths.size(), active, failed);
|
|
};
|
|
|
|
ThreadPool pool;
|
|
|
|
auto doPath = [&](const Path & storePath) {
|
|
try {
|
|
checkInterrupt();
|
|
|
|
MaintainCount<std::atomic<size_t>> mcActive(active);
|
|
update();
|
|
|
|
auto info = store->queryPathInfo(store->parseStorePath(storePath));
|
|
|
|
// Note: info->path can be different from storePath
|
|
// for binary cache stores when using --all (since we
|
|
// can't enumerate names efficiently).
|
|
Activity act2(*logger, lvlInfo, actUnknown, fmt("checking '%s'", store->printStorePath(info->path)));
|
|
|
|
if (!noContents) {
|
|
|
|
std::unique_ptr<AbstractHashSink> hashSink;
|
|
if (!info->ca)
|
|
hashSink = std::make_unique<HashSink>(info->narHash.type);
|
|
else
|
|
hashSink = std::make_unique<HashModuloSink>(info->narHash.type, std::string(info->path.hashPart()));
|
|
|
|
store->narFromPath(info->path, *hashSink);
|
|
|
|
auto hash = hashSink->finish();
|
|
|
|
if (hash.first != info->narHash) {
|
|
corrupted++;
|
|
act2.result(resCorruptedPath, store->printStorePath(info->path));
|
|
printError("path '%s' was modified! expected hash '%s', got '%s'",
|
|
store->printStorePath(info->path),
|
|
info->narHash.to_string(Base32, true),
|
|
hash.first.to_string(Base32, true));
|
|
}
|
|
}
|
|
|
|
if (!noTrust) {
|
|
|
|
bool good = false;
|
|
|
|
if (info->ultimate && !sigsNeeded)
|
|
good = true;
|
|
|
|
else {
|
|
|
|
StringSet sigsSeen;
|
|
size_t actualSigsNeeded = std::max(sigsNeeded, (size_t) 1);
|
|
size_t validSigs = 0;
|
|
|
|
auto doSigs = [&](StringSet sigs) {
|
|
for (auto sig : sigs) {
|
|
if (!sigsSeen.insert(sig).second) continue;
|
|
if (validSigs < ValidPathInfo::maxSigs && info->checkSignature(*store, publicKeys, sig))
|
|
validSigs++;
|
|
}
|
|
};
|
|
|
|
if (info->isContentAddressed(*store)) validSigs = ValidPathInfo::maxSigs;
|
|
|
|
doSigs(info->sigs);
|
|
|
|
for (auto & store2 : substituters) {
|
|
if (validSigs >= actualSigsNeeded) break;
|
|
try {
|
|
auto info2 = store2->queryPathInfo(info->path);
|
|
if (info2->isContentAddressed(*store)) validSigs = ValidPathInfo::maxSigs;
|
|
doSigs(info2->sigs);
|
|
} catch (InvalidPath &) {
|
|
} catch (Error & e) {
|
|
logError(e.info());
|
|
}
|
|
}
|
|
|
|
if (validSigs >= actualSigsNeeded)
|
|
good = true;
|
|
}
|
|
|
|
if (!good) {
|
|
untrusted++;
|
|
act2.result(resUntrustedPath, store->printStorePath(info->path));
|
|
printError("path '%s' is untrusted", store->printStorePath(info->path));
|
|
}
|
|
|
|
}
|
|
|
|
done++;
|
|
|
|
} catch (Error & e) {
|
|
logError(e.info());
|
|
failed++;
|
|
}
|
|
|
|
update();
|
|
};
|
|
|
|
for (auto & storePath : storePaths)
|
|
pool.enqueue(std::bind(doPath, store->printStorePath(storePath)));
|
|
|
|
pool.process();
|
|
|
|
throw Exit(
|
|
(corrupted ? 1 : 0) |
|
|
(untrusted ? 2 : 0) |
|
|
(failed ? 4 : 0));
|
|
}
|
|
};
|
|
|
|
static auto rCmdVerify = registerCommand2<CmdVerify>({"store", "verify"});
|