delroth/hydra
0
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Allow Hydra's binary cache to be signed

Browse source 
This requires adding the following to hydra.conf:

  binary_cache_key_name = <key-name>
  binary_cache_private_key_file = <path-to-private-key>

e.g.

  binary_cache_key_name = hydra.nixos.org-1
  binary_cache_private_key_file = /home/hydra/cache-key.sec
This commit is contained in:
Eelco Dolstra 2014-01-08 15:19:17 +01:00
parent de26b55afe
commit a598fe7e81
1 changed files with 10 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
src/lib/Hydra/View/NARInfo.pm
View file

@ -4,6 +4,7 @@ use strict;
use base qw/Catalyst::View/; use base qw/Catalyst::View/;
use File::Basename; use File::Basename;
use Nix::Store; use Nix::Store;
use Nix::Crypto;
sub process { sub process {
my ($self, $c) = @_; my ($self, $c) = @_;
@ -29,6 +30,15 @@ sub process {
} }
} }
# Optionally, sign the NAR info file we just created.
my $privateKeyFile = $c->config->{binary_cache_private_key_file};
my $keyName = $c->config->{binary_cache_key_name};
if (defined $privateKeyFile && defined $keyName) {
my $sig = signString($privateKeyFile, $info);
$info .= "Signature: 1;$keyName;$sig\n";
}
$c->response->body($info); $c->response->body($info);
return 1; return 1;