Re-implement binary cache signature checking
This is now done in LocalStore::addToStore(), rather than in the binary cache substituter (which no longer exists).
This commit is contained in:
parent
12ddbad458
commit
3593c8285d
|
@ -58,6 +58,8 @@ LocalStore::LocalStore()
|
|||
: linksDir(settings.nixStore + "/.links")
|
||||
, reservedPath(settings.nixDBPath + "/reserved")
|
||||
, schemaPath(settings.nixDBPath + "/schema")
|
||||
, requireSigs(settings.get("signed-binary-caches", std::string("")) != "") // FIXME: rename option
|
||||
, publicKeys(getDefaultPublicKeys())
|
||||
{
|
||||
auto state(_state.lock());
|
||||
|
||||
|
@ -909,6 +911,9 @@ void LocalStore::addToStore(const ValidPathInfo & info, const std::string & nar,
|
|||
throw Error(format("hash mismatch importing path ‘%s’; expected hash ‘%s’, got ‘%s’") %
|
||||
info.path % info.narHash.to_string() % h.to_string());
|
||||
|
||||
if (requireSigs && !info.checkSignatures(publicKeys))
|
||||
throw Error(format("cannot import path ‘%s’ because it lacks a valid signature") % info.path);
|
||||
|
||||
addTempRoot(info.path);
|
||||
|
||||
if (repair || !isValidPath(info.path)) {
|
||||
|
|
|
@ -77,6 +77,10 @@ private:
|
|||
const Path reservedPath;
|
||||
const Path schemaPath;
|
||||
|
||||
bool requireSigs;
|
||||
|
||||
PublicKeys publicKeys;
|
||||
|
||||
public:
|
||||
|
||||
/* Initialise the local store, upgrading the schema if
|
||||
|
|
|
@ -85,7 +85,7 @@ clearStore
|
|||
rm $(grep -l "StorePath:.*dependencies-input-2" $cacheDir/*.narinfo)
|
||||
|
||||
nix-build --option binary-caches "file://$cacheDir" dependencies.nix -o $TEST_ROOT/result 2>&1 | tee $TEST_ROOT/log
|
||||
grep -q "Downloading" $TEST_ROOT/log
|
||||
grep -q "fetching path" $TEST_ROOT/log
|
||||
|
||||
|
||||
if [ -n "$HAVE_SODIUM" ]; then
|
||||
|
|
Loading…
Reference in a new issue