nix-store --generate-binary-cache-key: Write key to disk

This ensures proper permissions for the secret key.
This commit is contained in:
Eelco Dolstra 2015-02-18 11:19:44 +01:00
parent bd91064150
commit 147deb236e
2 changed files with 15 additions and 13 deletions

View file

@ -1015,8 +1015,11 @@ static void opGenerateBinaryCacheKey(Strings opFlags, Strings opArgs)
foreach (Strings::iterator, i, opFlags) foreach (Strings::iterator, i, opFlags)
throw UsageError(format("unknown flag %1%") % *i); throw UsageError(format("unknown flag %1%") % *i);
if (opArgs.size() != 1) throw UsageError("one argument expected"); if (opArgs.size() != 3) throw UsageError("three arguments expected");
string keyName = opArgs.front(); auto i = opArgs.begin();
string keyName = *i++;
string secretKeyFile = *i++;
string publicKeyFile = *i++;
#if HAVE_SODIUM #if HAVE_SODIUM
sodium_init(); sodium_init();
@ -1026,8 +1029,9 @@ static void opGenerateBinaryCacheKey(Strings opFlags, Strings opArgs)
if (crypto_sign_keypair(pk, sk) != 0) if (crypto_sign_keypair(pk, sk) != 0)
throw Error("key generation failed"); throw Error("key generation failed");
std::cout << keyName << ":" << base64Encode(string((char *) pk, crypto_sign_PUBLICKEYBYTES)) << std::endl; writeFile(publicKeyFile, keyName + ":" + base64Encode(string((char *) pk, crypto_sign_PUBLICKEYBYTES)));
std::cout << keyName << ":" << base64Encode(string((char *) sk, crypto_sign_SECRETKEYBYTES)) << std::endl; umask(0077);
writeFile(secretKeyFile, keyName + ":" + base64Encode(string((char *) sk, crypto_sign_SECRETKEYBYTES)));
#else #else
throw Error("Nix was not compiled with libsodium, required for signed binary cache support"); throw Error("Nix was not compiled with libsodium, required for signed binary cache support");
#endif #endif

View file

@ -94,18 +94,16 @@ if [ -n "$HAVE_SODIUM" ]; then
# Create a signed binary cache. # Create a signed binary cache.
clearCache clearCache
declare -a res=($(nix-store --generate-binary-cache-key test.nixos.org-1)) declare -a res=($(nix-store --generate-binary-cache-key test.nixos.org-1 $TEST_ROOT/sk1 $TEST_ROOT/pk1 ))
publicKey="${res[0]}" publicKey="$(cat $TEST_ROOT/pk1)"
secretKey="${res[1]}"
echo "$secretKey" > $TEST_ROOT/secret-key
res=($(nix-store --generate-binary-cache-key test.nixos.org-1)) res=($(nix-store --generate-binary-cache-key test.nixos.org-1 $TEST_ROOT/sk2 $TEST_ROOT/pk2))
badKey="${res[0]}" badKey="$(cat $TEST_ROOT/pk2)"
res=($(nix-store --generate-binary-cache-key foo.nixos.org-1)) res=($(nix-store --generate-binary-cache-key foo.nixos.org-1 $TEST_ROOT/sk3 $TEST_ROOT/pk3))
otherKey="${res[0]}" otherKey="$(cat $TEST_ROOT/pk3)"
nix-push --dest $cacheDir --key-file $TEST_ROOT/secret-key $outPath nix-push --dest $cacheDir --key-file $TEST_ROOT/sk1 $outPath
# Downloading should fail if we don't provide a key. # Downloading should fail if we don't provide a key.