2017-11-14 17:24:20 +00:00
|
|
|
source common.sh
|
|
|
|
|
|
|
|
|
|
clearStore
|
|
|
|
|
clearCache
|
|
|
|
|
|
|
|
|
|
nix-store --generate-binary-cache-key cache1.example.org $TEST_ROOT/sk1 $TEST_ROOT/pk1
|
|
|
|
|
pk1=$(cat $TEST_ROOT/pk1)
|
|
|
|
|
nix-store --generate-binary-cache-key cache2.example.org $TEST_ROOT/sk2 $TEST_ROOT/pk2
|
|
|
|
|
pk2=$(cat $TEST_ROOT/pk2)
|
|
|
|
|
|
|
|
|
|
# Build a path.
|
|
|
|
|
outPath=$(nix-build dependencies.nix --no-out-link --secret-key-files "$TEST_ROOT/sk1 $TEST_ROOT/sk2")
|
|
|
|
|
|
|
|
|
|
# Verify that the path got signed.
|
|
|
|
|
info=$(nix path-info --json $outPath)
|
|
|
|
|
[[ $info =~ '"ultimate":true' ]]
|
|
|
|
|
[[ $info =~ 'cache1.example.org' ]]
|
|
|
|
|
[[ $info =~ 'cache2.example.org' ]]
|
|
|
|
|
|
|
|
|
|
# Test "nix verify".
|
|
|
|
|
nix verify -r $outPath
|
|
|
|
|
|
|
|
|
|
expect 2 nix verify -r $outPath --sigs-needed 1
|
|
|
|
|
|
2017-11-20 16:29:54 +00:00
|
|
|
nix verify -r $outPath --sigs-needed 1 --trusted-public-keys $pk1
|
2017-11-14 17:24:20 +00:00
|
|
|
|
2017-11-20 16:29:54 +00:00
|
|
|
expect 2 nix verify -r $outPath --sigs-needed 2 --trusted-public-keys $pk1
|
2017-11-14 17:24:20 +00:00
|
|
|
|
2017-11-20 16:29:54 +00:00
|
|
|
nix verify -r $outPath --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
|
2017-11-14 17:24:20 +00:00
|
|
|
|
2017-11-20 16:29:54 +00:00
|
|
|
nix verify --all --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
|
2017-11-14 17:24:20 +00:00
|
|
|
|
|
|
|
|
# Build something unsigned.
|
|
|
|
|
outPath2=$(nix-build simple.nix --no-out-link)
|
|
|
|
|
|
|
|
|
|
nix verify -r $outPath
|
|
|
|
|
|
|
|
|
|
# Verify that the path did not get signed but does have the ultimate bit.
|
|
|
|
|
info=$(nix path-info --json $outPath2)
|
|
|
|
|
[[ $info =~ '"ultimate":true' ]]
|
|
|
|
|
(! [[ $info =~ 'signatures' ]])
|
|
|
|
|
|
|
|
|
|
# Test "nix verify".
|
|
|
|
|
nix verify -r $outPath2
|
|
|
|
|
|
|
|
|
|
expect 2 nix verify -r $outPath2 --sigs-needed 1
|
|
|
|
|
|
2017-11-20 16:29:54 +00:00
|
|
|
expect 2 nix verify -r $outPath2 --sigs-needed 1 --trusted-public-keys $pk1
|
2017-11-14 17:24:20 +00:00
|
|
|
|
|
|
|
|
# Test "nix sign-paths".
|
|
|
|
|
nix sign-paths --key-file $TEST_ROOT/sk1 $outPath2
|
|
|
|
|
|
2017-11-20 16:29:54 +00:00
|
|
|
nix verify -r $outPath2 --sigs-needed 1 --trusted-public-keys $pk1
|
2017-11-14 17:24:20 +00:00
|
|
|
|
|
|
|
|
# Copy to a binary cache.
|
|
|
|
|
nix copy --to file://$cacheDir $outPath2
|
|
|
|
|
|
|
|
|
|
# Verify that signatures got copied.
|
|
|
|
|
info=$(nix path-info --store file://$cacheDir --json $outPath2)
|
|
|
|
|
(! [[ $info =~ '"ultimate":true' ]])
|
|
|
|
|
[[ $info =~ 'cache1.example.org' ]]
|
|
|
|
|
(! [[ $info =~ 'cache2.example.org' ]])
|
2017-11-14 17:44:05 +00:00
|
|
|
|
|
|
|
|
# Verify that adding a signature to a path in a binary cache works.
|
|
|
|
|
nix sign-paths --store file://$cacheDir --key-file $TEST_ROOT/sk2 $outPath2
|
|
|
|
|
info=$(nix path-info --store file://$cacheDir --json $outPath2)
|
|
|
|
|
[[ $info =~ 'cache1.example.org' ]]
|
|
|
|
|
[[ $info =~ 'cache2.example.org' ]]
|
