From 147deb236ebc8474d0e53cb90b23f1d722486bb6 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Wed, 18 Feb 2015 11:19:44 +0100
Subject: [PATCH] nix-store --generate-binary-cache-key: Write key to disk

This ensures proper permissions for the secret key.
---
 src/nix-store/nix-store.cc | 12 ++++++++----
 tests/binary-cache.sh      | 16 +++++++---------
 2 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/src/nix-store/nix-store.cc b/src/nix-store/nix-store.cc
index c16adf049..7ce5f63c2 100644
--- a/src/nix-store/nix-store.cc
+++ b/src/nix-store/nix-store.cc
@@ -1015,8 +1015,11 @@ static void opGenerateBinaryCacheKey(Strings opFlags, Strings opArgs)
     foreach (Strings::iterator, i, opFlags)
         throw UsageError(format("unknown flag ‘%1%’") % *i);
 
-    if (opArgs.size() != 1) throw UsageError("one argument expected");
-    string keyName = opArgs.front();
+    if (opArgs.size() != 3) throw UsageError("three arguments expected");
+    auto i = opArgs.begin();
+    string keyName = *i++;
+    string secretKeyFile = *i++;
+    string publicKeyFile = *i++;
 
 #if HAVE_SODIUM
     sodium_init();
@@ -1026,8 +1029,9 @@ static void opGenerateBinaryCacheKey(Strings opFlags, Strings opArgs)
     if (crypto_sign_keypair(pk, sk) != 0)
         throw Error("key generation failed");
 
-    std::cout << keyName << ":" << base64Encode(string((char *) pk, crypto_sign_PUBLICKEYBYTES)) << std::endl;
-    std::cout << keyName << ":" << base64Encode(string((char *) sk, crypto_sign_SECRETKEYBYTES)) << std::endl;
+    writeFile(publicKeyFile, keyName + ":" + base64Encode(string((char *) pk, crypto_sign_PUBLICKEYBYTES)));
+    umask(0077);
+    writeFile(secretKeyFile, keyName + ":" + base64Encode(string((char *) sk, crypto_sign_SECRETKEYBYTES)));
 #else
     throw Error("Nix was not compiled with libsodium, required for signed binary cache support");
 #endif
diff --git a/tests/binary-cache.sh b/tests/binary-cache.sh
index 753c2c466..c72d2defa 100644
--- a/tests/binary-cache.sh
+++ b/tests/binary-cache.sh
@@ -94,18 +94,16 @@ if [ -n "$HAVE_SODIUM" ]; then
 # Create a signed binary cache.
 clearCache
 
-declare -a res=($(nix-store --generate-binary-cache-key test.nixos.org-1))
-publicKey="${res[0]}"
-secretKey="${res[1]}"
-echo "$secretKey" > $TEST_ROOT/secret-key
+declare -a res=($(nix-store --generate-binary-cache-key test.nixos.org-1 $TEST_ROOT/sk1 $TEST_ROOT/pk1 ))
+publicKey="$(cat $TEST_ROOT/pk1)"
 
-res=($(nix-store --generate-binary-cache-key test.nixos.org-1))
-badKey="${res[0]}"
+res=($(nix-store --generate-binary-cache-key test.nixos.org-1 $TEST_ROOT/sk2 $TEST_ROOT/pk2))
+badKey="$(cat $TEST_ROOT/pk2)"
 
-res=($(nix-store --generate-binary-cache-key foo.nixos.org-1))
-otherKey="${res[0]}"
+res=($(nix-store --generate-binary-cache-key foo.nixos.org-1 $TEST_ROOT/sk3 $TEST_ROOT/pk3))
+otherKey="$(cat $TEST_ROOT/pk3)"
 
-nix-push --dest $cacheDir --key-file $TEST_ROOT/secret-key $outPath
+nix-push --dest $cacheDir --key-file $TEST_ROOT/sk1 $outPath
 
 
 # Downloading should fail if we don't provide a key.