From 147deb236ebc8474d0e53cb90b23f1d722486bb6 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 18 Feb 2015 11:19:44 +0100 Subject: [PATCH] nix-store --generate-binary-cache-key: Write key to disk This ensures proper permissions for the secret key. --- src/nix-store/nix-store.cc | 12 ++++++++---- tests/binary-cache.sh | 16 +++++++--------- 2 files changed, 15 insertions(+), 13 deletions(-) diff --git a/src/nix-store/nix-store.cc b/src/nix-store/nix-store.cc index c16adf049..7ce5f63c2 100644 --- a/src/nix-store/nix-store.cc +++ b/src/nix-store/nix-store.cc @@ -1015,8 +1015,11 @@ static void opGenerateBinaryCacheKey(Strings opFlags, Strings opArgs) foreach (Strings::iterator, i, opFlags) throw UsageError(format("unknown flag ‘%1%’") % *i); - if (opArgs.size() != 1) throw UsageError("one argument expected"); - string keyName = opArgs.front(); + if (opArgs.size() != 3) throw UsageError("three arguments expected"); + auto i = opArgs.begin(); + string keyName = *i++; + string secretKeyFile = *i++; + string publicKeyFile = *i++; #if HAVE_SODIUM sodium_init(); @@ -1026,8 +1029,9 @@ static void opGenerateBinaryCacheKey(Strings opFlags, Strings opArgs) if (crypto_sign_keypair(pk, sk) != 0) throw Error("key generation failed"); - std::cout << keyName << ":" << base64Encode(string((char *) pk, crypto_sign_PUBLICKEYBYTES)) << std::endl; - std::cout << keyName << ":" << base64Encode(string((char *) sk, crypto_sign_SECRETKEYBYTES)) << std::endl; + writeFile(publicKeyFile, keyName + ":" + base64Encode(string((char *) pk, crypto_sign_PUBLICKEYBYTES))); + umask(0077); + writeFile(secretKeyFile, keyName + ":" + base64Encode(string((char *) sk, crypto_sign_SECRETKEYBYTES))); #else throw Error("Nix was not compiled with libsodium, required for signed binary cache support"); #endif diff --git a/tests/binary-cache.sh b/tests/binary-cache.sh index 753c2c466..c72d2defa 100644 --- a/tests/binary-cache.sh +++ b/tests/binary-cache.sh @@ -94,18 +94,16 @@ if [ -n "$HAVE_SODIUM" ]; then # Create a signed binary cache. clearCache -declare -a res=($(nix-store --generate-binary-cache-key test.nixos.org-1)) -publicKey="${res[0]}" -secretKey="${res[1]}" -echo "$secretKey" > $TEST_ROOT/secret-key +declare -a res=($(nix-store --generate-binary-cache-key test.nixos.org-1 $TEST_ROOT/sk1 $TEST_ROOT/pk1 )) +publicKey="$(cat $TEST_ROOT/pk1)" -res=($(nix-store --generate-binary-cache-key test.nixos.org-1)) -badKey="${res[0]}" +res=($(nix-store --generate-binary-cache-key test.nixos.org-1 $TEST_ROOT/sk2 $TEST_ROOT/pk2)) +badKey="$(cat $TEST_ROOT/pk2)" -res=($(nix-store --generate-binary-cache-key foo.nixos.org-1)) -otherKey="${res[0]}" +res=($(nix-store --generate-binary-cache-key foo.nixos.org-1 $TEST_ROOT/sk3 $TEST_ROOT/pk3)) +otherKey="$(cat $TEST_ROOT/pk3)" -nix-push --dest $cacheDir --key-file $TEST_ROOT/secret-key $outPath +nix-push --dest $cacheDir --key-file $TEST_ROOT/sk1 $outPath # Downloading should fail if we don't provide a key.