0
0
Fork 0
forked from lix-project/lix
Commit graph

19 commits

Author SHA1 Message Date
Eelco Dolstra 147deb236e nix-store --generate-binary-cache-key: Write key to disk
This ensures proper permissions for the secret key.
2015-02-18 11:19:44 +01:00
Eelco Dolstra 1c972cba14 Make libsodium an optional dependency 2015-02-10 11:54:06 +01:00
Eelco Dolstra e0def5bc4b Use libsodium instead of OpenSSL for binary cache signing
Sodium's Ed25519 signatures are much shorter than OpenSSL's RSA
signatures. Public keys are also much shorter, so they're now
specified directly in the nix.conf option ‘binary-cache-public-keys’.

The new command ‘nix-store --generate-binary-cache-key’ generates and
prints a public and secret key.
2015-02-04 17:10:31 +01:00
Eelco Dolstra 3d0a9ec825 Test executables in NARs 2014-02-26 18:59:01 +01:00
Eelco Dolstra 832377bbd6 Add a test for repairing paths 2014-02-17 12:22:50 +01:00
Eelco Dolstra f4013b6189 Fix signed-binary-caches test 2014-01-08 17:57:22 +01:00
Eelco Dolstra ea38e39a20 Test whether Nix correctly checks the hash of downloaded NARs 2014-01-08 17:56:30 +01:00
Eelco Dolstra 0fdf4da0e9 Support cryptographically signed binary caches
NAR info files in binary caches can now have a cryptographic signature
that Nix will verify before using the corresponding NAR file.

To create a private/public key pair for signing and verifying a binary
cache, do:

  $ openssl genrsa -out ./cache-key.sec 2048
  $ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub

You should also come up with a symbolic name for the key, such as
"cache.example.org-1".  This will be used by clients to look up the
public key.  (It's a good idea to number keys, in case you ever need
to revoke/replace one.)

To create a binary cache signed with the private key:

  $ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1

The public key (cache-key.pub) should be distributed to the clients.
They should have a nix.conf should contain something like:

  signed-binary-caches = *
  binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub

If all works well, then if Nix fetches something from the signed
binary cache, you will see a message like:

  *** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’...

On the other hand, if the signature is wrong, you get a message like

  NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring

Signatures are implemented as a single line appended to the NAR info
file, which looks like this:

  Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ==

Thus the signature has 3 fields: a version (currently "1"), the ID of
key, and the base64-encoded signature of the SHA-256 hash of the
contents of the NAR info file up to but not including the Signature
line.

Issue .
2014-01-08 15:42:53 +01:00
Eelco Dolstra 5116214343 Add support for uncompressed NARs in binary caches
Issue .
2013-07-01 21:03:14 +02:00
Eelco Dolstra a9b4e26b5c Test whether --fallback works if NARS have disappeared from the binary cache 2013-04-23 12:44:01 +02:00
Eelco Dolstra c642441beb Test NAR info caching 2013-04-23 12:43:28 +02:00
Eelco Dolstra 299141ecbd If a substitute closure is incomplete, build dependencies, then retry the substituter
Issue .
2013-01-02 12:38:28 +01:00
Eelco Dolstra 82248abd8f Add a test for incomplete closures in the binary cache
Issue .
2013-01-02 11:45:23 +01:00
Eelco Dolstra 21c2d8d102 Test the ‘--prebuilt-only’ flag 2012-12-03 21:02:06 +01:00
Eelco Dolstra 4ba47205c6 Fix test failure on Darwin
Apparently our DBD::SQLite links against /usr/lib/libsqlite3.dylib,
which is an old version that doesn't respect foreign key constraints.
So manifests/cache.sqlite doesn't get updated properly when a manifest
disappears.  We should fix our DBD::SQLite, but in the meantime this
will fix the test.

http://hydra.nixos.org/build/3017959
2012-09-12 11:29:10 -04:00
Eelco Dolstra f3eb29c653 Fix the test 2012-07-30 17:09:13 -04:00
Eelco Dolstra 66a3ac6a56 Allow a binary cache to declare that it doesn't support "nix-env -qas"
Querying all substitutable paths via "nix-env -qas" is potentially
hard on a server, since it involves sending thousands of HEAD
requests.  So a binary cache must now have a meta-info file named
"nix-cache-info" that specifies whether the server wants this.  It
also specifies the store prefix so that we don't send useless queries
to a binary cache for a different store prefix.
2012-07-27 18:16:05 -04:00
Eelco Dolstra e6ab52cdd1 Test "nix-env -qas" with the binary cache substituter 2012-07-27 14:15:03 -04:00
Eelco Dolstra 609586a16d Add a test for the binary cache substituter 2012-07-26 17:13:14 -04:00