forked from lix-project/lix
nix-store --generate-binary-cache-key: Write key to disk
This ensures proper permissions for the secret key.
This commit is contained in:
parent
bd91064150
commit
147deb236e
|
@ -1015,8 +1015,11 @@ static void opGenerateBinaryCacheKey(Strings opFlags, Strings opArgs)
|
||||||
foreach (Strings::iterator, i, opFlags)
|
foreach (Strings::iterator, i, opFlags)
|
||||||
throw UsageError(format("unknown flag ‘%1%’") % *i);
|
throw UsageError(format("unknown flag ‘%1%’") % *i);
|
||||||
|
|
||||||
if (opArgs.size() != 1) throw UsageError("one argument expected");
|
if (opArgs.size() != 3) throw UsageError("three arguments expected");
|
||||||
string keyName = opArgs.front();
|
auto i = opArgs.begin();
|
||||||
|
string keyName = *i++;
|
||||||
|
string secretKeyFile = *i++;
|
||||||
|
string publicKeyFile = *i++;
|
||||||
|
|
||||||
#if HAVE_SODIUM
|
#if HAVE_SODIUM
|
||||||
sodium_init();
|
sodium_init();
|
||||||
|
@ -1026,8 +1029,9 @@ static void opGenerateBinaryCacheKey(Strings opFlags, Strings opArgs)
|
||||||
if (crypto_sign_keypair(pk, sk) != 0)
|
if (crypto_sign_keypair(pk, sk) != 0)
|
||||||
throw Error("key generation failed");
|
throw Error("key generation failed");
|
||||||
|
|
||||||
std::cout << keyName << ":" << base64Encode(string((char *) pk, crypto_sign_PUBLICKEYBYTES)) << std::endl;
|
writeFile(publicKeyFile, keyName + ":" + base64Encode(string((char *) pk, crypto_sign_PUBLICKEYBYTES)));
|
||||||
std::cout << keyName << ":" << base64Encode(string((char *) sk, crypto_sign_SECRETKEYBYTES)) << std::endl;
|
umask(0077);
|
||||||
|
writeFile(secretKeyFile, keyName + ":" + base64Encode(string((char *) sk, crypto_sign_SECRETKEYBYTES)));
|
||||||
#else
|
#else
|
||||||
throw Error("Nix was not compiled with libsodium, required for signed binary cache support");
|
throw Error("Nix was not compiled with libsodium, required for signed binary cache support");
|
||||||
#endif
|
#endif
|
||||||
|
|
|
@ -94,18 +94,16 @@ if [ -n "$HAVE_SODIUM" ]; then
|
||||||
# Create a signed binary cache.
|
# Create a signed binary cache.
|
||||||
clearCache
|
clearCache
|
||||||
|
|
||||||
declare -a res=($(nix-store --generate-binary-cache-key test.nixos.org-1))
|
declare -a res=($(nix-store --generate-binary-cache-key test.nixos.org-1 $TEST_ROOT/sk1 $TEST_ROOT/pk1 ))
|
||||||
publicKey="${res[0]}"
|
publicKey="$(cat $TEST_ROOT/pk1)"
|
||||||
secretKey="${res[1]}"
|
|
||||||
echo "$secretKey" > $TEST_ROOT/secret-key
|
|
||||||
|
|
||||||
res=($(nix-store --generate-binary-cache-key test.nixos.org-1))
|
res=($(nix-store --generate-binary-cache-key test.nixos.org-1 $TEST_ROOT/sk2 $TEST_ROOT/pk2))
|
||||||
badKey="${res[0]}"
|
badKey="$(cat $TEST_ROOT/pk2)"
|
||||||
|
|
||||||
res=($(nix-store --generate-binary-cache-key foo.nixos.org-1))
|
res=($(nix-store --generate-binary-cache-key foo.nixos.org-1 $TEST_ROOT/sk3 $TEST_ROOT/pk3))
|
||||||
otherKey="${res[0]}"
|
otherKey="$(cat $TEST_ROOT/pk3)"
|
||||||
|
|
||||||
nix-push --dest $cacheDir --key-file $TEST_ROOT/secret-key $outPath
|
nix-push --dest $cacheDir --key-file $TEST_ROOT/sk1 $outPath
|
||||||
|
|
||||||
|
|
||||||
# Downloading should fail if we don't provide a key.
|
# Downloading should fail if we don't provide a key.
|
||||||
|
|
Loading…
Reference in a new issue