lix/tests
Eelco Dolstra 0fdf4da0e9 Support cryptographically signed binary caches
NAR info files in binary caches can now have a cryptographic signature
that Nix will verify before using the corresponding NAR file.

To create a private/public key pair for signing and verifying a binary
cache, do:

  $ openssl genrsa -out ./cache-key.sec 2048
  $ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub

You should also come up with a symbolic name for the key, such as
"cache.example.org-1".  This will be used by clients to look up the
public key.  (It's a good idea to number keys, in case you ever need
to revoke/replace one.)

To create a binary cache signed with the private key:

  $ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1

The public key (cache-key.pub) should be distributed to the clients.
They should have a nix.conf should contain something like:

  signed-binary-caches = *
  binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub

If all works well, then if Nix fetches something from the signed
binary cache, you will see a message like:

  *** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’...

On the other hand, if the signature is wrong, you get a message like

  NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring

Signatures are implemented as a single line appended to the NAR info
file, which looks like this:

  Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ==

Thus the signature has 3 fields: a version (currently "1"), the ID of
key, and the base64-encoded signature of the SHA-256 hash of the
contents of the NAR info file up to but not including the Signature
line.

Issue #75.
2014-01-08 15:42:53 +01:00
..
lang Merge branch 'dynamic-attrs-no-sugar' of github.com:shlevy/nix 2014-01-06 15:46:18 +01:00
add.sh * Refactoring: remove unnecessary variables from the tests. 2011-10-10 21:32:34 +00:00
binary-cache.sh Support cryptographically signed binary caches 2014-01-08 15:42:53 +01:00
binary-patching.nix * Urgh, FreeBSD doesn't have a "seq" command. 2011-02-09 14:03:16 +00:00
binary-patching.sh nix-push: Support generating a manifest again 2012-07-26 18:28:12 -04:00
build-hook.hook.sh * Made the build hook mechanism more efficient. Rather than starting 2010-08-25 20:44:28 +00:00
build-hook.nix Fix test 2013-10-17 11:18:37 +02:00
build-hook.sh Don't put results symlinks in the tests directory 2012-09-11 19:14:15 -04:00
check-refs.nix * Refactoring: renamed *.nix.in to *.nix. 2009-03-17 17:11:55 +00:00
check-refs.sh * Refactoring: remove unnecessary variables from the tests. 2011-10-10 21:32:34 +00:00
common.sh.in Urgggh 2013-01-02 23:52:15 +01:00
config.nix.in * Add a test for nix-channel. 2012-01-03 01:51:38 +00:00
dependencies.builder0.sh Test string semantics a bit more 2013-10-17 01:12:43 +02:00
dependencies.builder1.sh * Purify `make check'. 2006-07-21 13:21:43 +00:00
dependencies.builder2.sh * Purify `make check'. 2006-07-21 13:21:43 +00:00
dependencies.nix Test string semantics a bit more 2013-10-17 01:12:43 +02:00
dependencies.sh * Refactoring: remove unnecessary variables from the tests. 2011-10-10 21:32:34 +00:00
export-graph.nix Support quoted attribute names in -A 2013-11-18 10:21:12 +00:00
export-graph.sh Support quoted attribute names in -A 2013-11-18 10:21:12 +00:00
export.sh Don't put results symlinks in the tests directory 2012-09-11 19:14:15 -04:00
fallback.sh * Refactoring: remove unnecessary variables from the tests. 2011-10-10 21:32:34 +00:00
fetchurl.nix Add a test for the fetchurl function 2012-07-09 15:41:43 -04:00
fetchurl.sh Don't put results symlinks in the tests directory 2012-09-11 19:14:15 -04:00
filter-source.nix * Refactoring: renamed *.nix.in to *.nix. 2009-03-17 17:11:55 +00:00
filter-source.sh * Refactoring: remove unnecessary variables from the tests. 2011-10-10 21:32:34 +00:00
fixed.builder1.sh * Test the impureEnvVars feature. 2007-09-11 13:32:04 +00:00
fixed.builder2.sh * Test case to show that parallel builds of different fixed-output 2007-08-28 09:21:47 +00:00
fixed.nix * Refactoring: renamed *.nix.in to *.nix. 2009-03-17 17:11:55 +00:00
fixed.sh Don't put results symlinks in the tests directory 2012-09-11 19:14:15 -04:00
gc-concurrent.builder.sh * Increase the sleep periods a bit to make the test less likely to 2008-08-14 09:26:30 +00:00
gc-concurrent.nix * Refactoring: renamed *.nix.in to *.nix. 2009-03-17 17:11:55 +00:00
gc-concurrent.sh * Refactoring: remove unnecessary variables from the tests. 2011-10-10 21:32:34 +00:00
gc-concurrent2.builder.sh * Increase the sleep periods a bit to make the test less likely to 2008-08-14 09:26:30 +00:00
gc-runtime.nix * Refactoring: renamed *.nix.in to *.nix. 2009-03-17 17:11:55 +00:00
gc-runtime.sh Replace "make check" with "make installcheck" 2012-03-19 01:20:02 +01:00
gc.sh * Refactoring: remove unnecessary variables from the tests. 2011-10-10 21:32:34 +00:00
hash-check.nix * Purify `make check'. 2006-07-21 13:21:43 +00:00
hash.sh Replace "make check" with "make installcheck" 2012-03-19 01:20:02 +01:00
import-derivation.nix * Add a test for importing derivations. 2012-01-26 13:04:50 +00:00
import-derivation.sh Don't put results symlinks in the tests directory 2012-09-11 19:14:15 -04:00
init.sh Replace "make check" with "make installcheck" 2012-03-19 01:20:02 +01:00
install-package.sh nix-push: Support generating a manifest again 2012-07-26 18:28:12 -04:00
lang.sh Test the delayed with a bit more 2013-07-31 13:12:35 +02:00
logging.sh Don't put results symlinks in the tests directory 2012-09-11 19:14:15 -04:00
Makefile.am Urgggh 2013-01-02 23:52:15 +01:00
misc.sh Fix the test 2012-10-03 18:01:35 -04:00
multiple-outputs.nix Don't put results symlinks in the tests directory 2012-09-11 19:14:15 -04:00
multiple-outputs.sh Fix the multiple-outputs test 2012-11-26 17:46:45 +01:00
negative-caching.nix * Negative caching, i.e. caching of build failures. Disabled by 2009-03-25 21:05:42 +00:00
negative-caching.sh Don't put results symlinks in the tests directory 2012-09-11 19:14:15 -04:00
nix-build.sh Don't put results symlinks in the tests directory 2012-09-11 19:14:15 -04:00
nix-channel.sh nix-push: Support generating a manifest again 2012-07-26 18:28:12 -04:00
nix-copy-closure.nix Adjust to the NixOS/Nixpkgs merge 2013-10-11 10:57:23 +02:00
nix-profile.sh Urgggh 2013-01-02 23:52:15 +01:00
nix-pull.sh Fix test failure on Darwin 2012-09-12 11:29:10 -04:00
nix-push.sh nix-push: Support generating a manifest again 2012-07-26 18:28:12 -04:00
optimise-store.sh Fix the store optimisation test 2012-09-13 12:54:23 -04:00
parallel.builder.sh * Make this test a bit more robust. It's still timing dependent 2009-03-23 15:16:36 +00:00
parallel.nix * Make this test a bit more robust. It's still timing dependent 2009-03-23 15:16:36 +00:00
parallel.sh Don't put results symlinks in the tests directory 2012-09-11 19:14:15 -04:00
referrers.sh Use "set -x" in the tests to see where a test fails 2012-07-27 14:33:01 -04:00
remote-builds.nix Adjust to the NixOS/Nixpkgs merge 2013-10-11 10:57:23 +02:00
remote-store.sh Drop support for running nix-worker in "slave" mode 2012-10-03 17:30:45 -04:00
secure-drv-outputs.nix * On FreeBSD, ‘touch’ is not in the test $PATH, so don't use it. 2011-08-08 14:08:38 +00:00
secure-drv-outputs.sh Don't put results symlinks in the tests directory 2012-09-11 19:14:15 -04:00
simple.builder.sh * Fix the tests. 2007-08-13 13:15:02 +00:00
simple.nix * Refactoring: renamed *.nix.in to *.nix. 2009-03-17 17:11:55 +00:00
simple.sh * Refactoring: remove unnecessary variables from the tests. 2011-10-10 21:32:34 +00:00
substituter.sh Don't keep "disabled" substituters running 2013-06-20 11:55:15 +02:00
substituter2.sh Don't keep "disabled" substituters running 2013-06-20 11:55:15 +02:00
substitutes.sh * Refactoring: remove unnecessary variables from the tests. 2011-10-10 21:32:34 +00:00
substitutes2.sh * Refactoring: remove unnecessary variables from the tests. 2011-10-10 21:32:34 +00:00
timeout.builder.sh Adda test for build-max-log-size 2013-09-02 12:44:30 +02:00
timeout.nix Show that --timeout doesn't work if the build produces log output 2013-04-23 17:16:29 +02:00
timeout.sh Adda test for build-max-log-size 2013-09-02 12:44:30 +02:00
user-envs.builder.sh Test priorities 2012-12-04 14:47:50 +01:00
user-envs.nix Test priorities 2012-12-04 14:47:50 +01:00
user-envs.sh Test priorities 2012-12-04 14:47:50 +01:00
verify.sh * Refactoring: remove unnecessary variables from the tests. 2011-10-10 21:32:34 +00:00