Move signatures from NarInfo to ValidPathInfo

This allows queryPathInfo() to return signatures.
2016-03-21 18:05:47 +01:00 · 2016-03-21 18:05:47 +01:00 · 712b616a84
parent cebc150b7c
commit 712b616a84
4 changed files with 21 additions and 11 deletions
--- a/src/libstore/binary-cache-store.cc
+++ b/src/libstore/binary-cache-store.cc
@ -126,8 +126,8 @@ NarInfo BinaryCacheStore::readNarInfo(const Path & storePath)
    stats.narInfoRead++;

    if (publicKeys) {
-        if (!narInfo->checkSignature(*publicKeys))
-            throw Error(format("invalid signature on NAR info file ‘%1%’") % narInfoFile);
+        if (!narInfo->checkSignatures(*publicKeys))
+            throw Error(format("no good signature on NAR info file ‘%1%’") % narInfoFile);
    }

    {
--- a/src/libstore/nar-info.cc
+++ b/src/libstore/nar-info.cc
@ -66,7 +66,7 @@ NarInfo::NarInfo(const std::string & s, const std::string & whence)
        else if (name == "System")
            system = value;
        else if (name == "Sig")
-            sig = value;
+            sigs.insert(value);

        pos = eol + 1;
    }
@ -98,7 +98,7 @@ std::string NarInfo::to_string() const
    if (!system.empty())
        res += "System: " + system + "\n";

-    if (!sig.empty())
+    for (auto sig : sigs)
        res += "Sig: " + sig + "\n";

    return res;
@ -123,12 +123,16 @@ Strings NarInfo::shortRefs() const

 void NarInfo::sign(const SecretKey & secretKey)
 {
-    sig = secretKey.signDetached(fingerprint());
+    sigs.insert(secretKey.signDetached(fingerprint()));
 }

-bool NarInfo::checkSignature(const PublicKeys & publicKeys) const
+unsigned int NarInfo::checkSignatures(const PublicKeys & publicKeys) const
 {
-    return sig != "" && verifyDetached(fingerprint(), sig, publicKeys);
+    unsigned int good = 0;
+    for (auto & sig : sigs)
+        if (verifyDetached(fingerprint(), sig, publicKeys))
+            good++;
+    return good;
 }

 }
--- a/src/libstore/nar-info.hh
+++ b/src/libstore/nar-info.hh
@ -13,7 +13,6 @@ struct NarInfo : ValidPathInfo
    Hash fileHash;
    uint64_t fileSize = 0;
    std::string system;
-    std::string sig; // FIXME: support multiple signatures

    NarInfo() { }
    NarInfo(const ValidPathInfo & info) : ValidPathInfo(info) { }
@ -31,9 +30,9 @@ struct NarInfo : ValidPathInfo

    void sign(const SecretKey & secretKey);

-    /* Return true iff this .narinfo is signed by one of the specified
-       keys. */
-    bool checkSignature(const PublicKeys & publicKeys) const;
+    /* Return the number of signatures on this .narinfo that were
+       produced by one of the specified keys. */
+    unsigned int checkSignatures(const PublicKeys & publicKeys) const;

 private:

--- a/src/libstore/store-api.hh
+++ b/src/libstore/store-api.hh
@ -98,6 +98,13 @@ struct ValidPathInfo
    unsigned long long narSize = 0; // 0 = unknown
    unsigned long long id; // internal use only

+    /* Whether the path is ultimately trusted, that is, it was built
+       locally or is content-addressable (e.g. added via addToStore()
+       or the result of a fixed-output derivation). */
+    bool ultimate = false;
+
+    StringSet sigs; // note: not necessarily verified
+
    bool operator == (const ValidPathInfo & i) const
    {
        return