diff --git a/doc/manual/command-ref/conf-file.xml b/doc/manual/command-ref/conf-file.xml index a28f70899..c3a9cc560 100644 --- a/doc/manual/command-ref/conf-file.xml +++ b/doc/manual/command-ref/conf-file.xml @@ -402,12 +402,15 @@ false. - signed-binary-caches + require-sigs - If set to * (the default), Nix - will only download binaries if they are signed using one of the - keys listed in . Set to - the empty string to disable signature checking. + If set to true (the default), + any non-content-addressed path added or copied to the Nix store + (e.g. when substituting from a binary cache) must have a valid + signature, that is, be signed using one of the keys listed in + . Set to + false to disable signature + checking. diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index 70c01bb32..5c857cbb6 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -281,6 +281,11 @@ public: Setting signedBinaryCaches{this, "*", "signed-binary-caches", "Obsolete."}; + Setting requireSigs{this, signedBinaryCaches == "*", "require-sigs", + "Whether to check that any non-content-addressed path added to the " + "Nix store has a valid signature (that is, one signed using a key " + "listed in 'trusted-public-keys'."}; + Setting substituters{this, nixStore == "/nix/store" ? Strings{"https://cache.nixos.org/"} : Strings(), "substituters", diff --git a/src/libstore/local-store.hh b/src/libstore/local-store.hh index 0a3841133..d35cd1a94 100644 --- a/src/libstore/local-store.hh +++ b/src/libstore/local-store.hh @@ -97,7 +97,7 @@ public: private: Setting requireSigs{(Store*) this, - settings.signedBinaryCaches != "", // FIXME + settings.requireSigs, "require-sigs", "whether store paths should have a trusted signature on import"}; PublicKeys publicKeys; diff --git a/tests/binary-cache.sh b/tests/binary-cache.sh index f7c0b2f78..dd8dae687 100644 --- a/tests/binary-cache.sh +++ b/tests/binary-cache.sh @@ -18,7 +18,7 @@ basicTests() { nix-env --option binary-caches "file://$cacheDir" -f dependencies.nix -qas \* | grep -- "---" - nix-store --option binary-caches "file://$cacheDir" --option signed-binary-caches '' -r $outPath + nix-store --option binary-caches "file://$cacheDir" --no-require-sigs -r $outPath [ -x $outPath/program ] @@ -34,7 +34,7 @@ basicTests() { x=$(nix-env -f dependencies.nix -qas \* --prebuilt-only) [ -z "$x" ] - nix-store --option binary-caches "file://$cacheDir" --option signed-binary-caches '' -r $outPath + nix-store --option binary-caches "file://$cacheDir" --no-require-sigs -r $outPath nix-store --check-validity $outPath nix-store -qR $outPath | grep input-2 @@ -63,7 +63,7 @@ mv $nar $nar.good mkdir -p $TEST_ROOT/empty nix-store --dump $TEST_ROOT/empty | xz > $nar -nix-build --option binary-caches "file://$cacheDir" --option signed-binary-caches '' dependencies.nix -o $TEST_ROOT/result 2>&1 | tee $TEST_ROOT/log +nix-build --option binary-caches "file://$cacheDir" --no-require-sigs dependencies.nix -o $TEST_ROOT/result 2>&1 | tee $TEST_ROOT/log grep -q "hash mismatch" $TEST_ROOT/log mv $nar.good $nar @@ -99,7 +99,7 @@ clearStore rm $(grep -l "StorePath:.*dependencies-input-2" $cacheDir/*.narinfo) -nix-build --option binary-caches "file://$cacheDir" --option signed-binary-caches '' dependencies.nix -o $TEST_ROOT/result 2>&1 | tee $TEST_ROOT/log +nix-build --option binary-caches "file://$cacheDir" --no-require-sigs dependencies.nix -o $TEST_ROOT/result 2>&1 | tee $TEST_ROOT/log grep -q "copying path" $TEST_ROOT/log @@ -124,18 +124,18 @@ nix copy --to file://$cacheDir?secret-key=$TEST_ROOT/sk1 $outPath clearStore clearCacheCache -(! nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' ) +(! nix-store -r $outPath --option binary-caches "file://$cacheDir") # And it should fail if we provide an incorrect key. clearStore clearCacheCache -(! nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' --option trusted-public-keys "$badKey") +(! nix-store -r $outPath --option binary-caches "file://$cacheDir" --option trusted-public-keys "$badKey") # It should succeed if we provide the correct key. -nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' --option trusted-public-keys "$otherKey $publicKey" +nix-store -r $outPath --option binary-caches "file://$cacheDir" --option trusted-public-keys "$otherKey $publicKey" # It should fail if we corrupt the .narinfo. @@ -152,10 +152,10 @@ done clearCacheCache -(! nix-store -r $outPath --option binary-caches "file://$cacheDir2" --option signed-binary-caches '*' --option trusted-public-keys "$publicKey") +(! nix-store -r $outPath --option binary-caches "file://$cacheDir2" --option trusted-public-keys "$publicKey") # If we provide a bad and a good binary cache, it should succeed. -nix-store -r $outPath --option binary-caches "file://$cacheDir2 file://$cacheDir" --option signed-binary-caches '*' --option trusted-public-keys "$publicKey" +nix-store -r $outPath --option binary-caches "file://$cacheDir2 file://$cacheDir" --option trusted-public-keys "$publicKey" fi # HAVE_LIBSODIUM diff --git a/tests/repair.sh b/tests/repair.sh index 7c928e3be..7f9f97fd0 100644 --- a/tests/repair.sh +++ b/tests/repair.sh @@ -51,7 +51,7 @@ nix copy --to file://$cacheDir $path chmod u+w $path2 rm -rf $path2 -nix-store --verify --check-contents --repair --option binary-caches "file://$cacheDir" --option signed-binary-caches '' +nix-store --verify --check-contents --repair --option binary-caches "file://$cacheDir" --no-require-sigs if [ "$(nix-hash $path2)" != "$hash" -o -e $path2/bad ]; then echo "path not repaired properly" >&2 @@ -69,7 +69,7 @@ if nix-store --verify-path $path2; then exit 1 fi -nix-store --repair-path $path2 --option binary-caches "file://$cacheDir" --option signed-binary-caches '' +nix-store --repair-path $path2 --option binary-caches "file://$cacheDir" --no-require-sigs if [ "$(nix-hash $path2)" != "$hash" -o -e $path2/bad ]; then echo "path not repaired properly" >&2