lix-project/lix
20
55
Fork 31
Code Issues 344 Code Review (Gerrit) Projects 3 Releases Wiki Activity

Merge pull request #2452 from ElvishJerricco/verify-sigs-overflow

Browse source 
Fix overflow when verifying signatures of content addressable paths
This commit is contained in:
Eelco Dolstra 2018-10-08 12:03:03 +02:00 committed by GitHub
parent 0fda9b22c7 b7091ce41e
commit 01bd66bf83
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 5 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/nix/verify.cc
View file

@ -120,7 +120,7 @@ struct CmdVerify : StorePathsCommand
for (auto sig : sigs) { for (auto sig : sigs) {
if (sigsSeen.count(sig)) continue; if (sigsSeen.count(sig)) continue;
sigsSeen.insert(sig); sigsSeen.insert(sig);
if (info->checkSignature(publicKeys, sig)) if (validSigs < ValidPathInfo::maxSigs && info->checkSignature(publicKeys, sig))
validSigs++; validSigs++;
} }
}; };

4
tests/signing.sh
View file

@ -62,6 +62,10 @@ outPathCA=$(IMPURE_VAR1=foo IMPURE_VAR2=bar nix-build ./fixed.nix -A good.0 --no
nix verify $outPathCA nix verify $outPathCA
nix verify $outPathCA --sigs-needed 1000 nix verify $outPathCA --sigs-needed 1000
# Check that signing a content-addressed path doesn't overflow validSigs
nix sign-paths --key-file $TEST_ROOT/sk1 $outPathCA
nix verify -r $outPathCA --sigs-needed 1000 --trusted-public-keys $pk1
# Copy to a binary cache. # Copy to a binary cache.
nix copy --to file://$cacheDir $outPath2 nix copy --to file://$cacheDir $outPath2