forked from lix-project/lix
bbe97dff8b
Most functions now take a StorePath argument rather than a Path (which is just an alias for std::string). The StorePath constructor ensures that the path is syntactically correct (i.e. it looks like <store-dir>/<base32-hash>-<name>). Similarly, functions like buildPaths() now take a StorePathWithOutputs, rather than abusing Path by adding a '!<outputs>' suffix. Note that the StorePath type is implemented in Rust. This involves some hackery to allow Rust values to be used directly in C++, via a helper type whose destructor calls the Rust type's drop() function. The main issue is the dynamic nature of C++ move semantics: after we have moved a Rust value, we should not call the drop function on the original value. So when we move a value, we set the original value to bitwise zero, and the destructor only calls drop() if the value is not bitwise zero. This should be sufficient for most types. Also lots of minor cleanups to the C++ API to make it more modern (e.g. using std::optional and std::string_view in some places).
178 lines
5.9 KiB
C++
178 lines
5.9 KiB
C++
#include "command.hh"
|
|
#include "shared.hh"
|
|
#include "store-api.hh"
|
|
#include "sync.hh"
|
|
#include "thread-pool.hh"
|
|
#include "references.hh"
|
|
|
|
#include <atomic>
|
|
|
|
using namespace nix;
|
|
|
|
struct CmdVerify : StorePathsCommand
|
|
{
|
|
bool noContents = false;
|
|
bool noTrust = false;
|
|
Strings substituterUris;
|
|
size_t sigsNeeded = 0;
|
|
|
|
CmdVerify()
|
|
{
|
|
mkFlag(0, "no-contents", "do not verify the contents of each store path", &noContents);
|
|
mkFlag(0, "no-trust", "do not verify whether each store path is trusted", &noTrust);
|
|
mkFlag()
|
|
.longName("substituter")
|
|
.shortName('s')
|
|
.labels({"store-uri"})
|
|
.description("use signatures from specified store")
|
|
.arity(1)
|
|
.handler([&](std::vector<std::string> ss) { substituterUris.push_back(ss[0]); });
|
|
mkIntFlag('n', "sigs-needed", "require that each path has at least N valid signatures", &sigsNeeded);
|
|
}
|
|
|
|
std::string description() override
|
|
{
|
|
return "verify the integrity of store paths";
|
|
}
|
|
|
|
Examples examples() override
|
|
{
|
|
return {
|
|
Example{
|
|
"To verify the entire Nix store:",
|
|
"nix verify --all"
|
|
},
|
|
Example{
|
|
"To check whether each path in the closure of Firefox has at least 2 signatures:",
|
|
"nix verify -r -n2 --no-contents $(type -p firefox)"
|
|
},
|
|
};
|
|
}
|
|
|
|
void run(ref<Store> store, StorePaths storePaths) override
|
|
{
|
|
std::vector<ref<Store>> substituters;
|
|
for (auto & s : substituterUris)
|
|
substituters.push_back(openStore(s));
|
|
|
|
auto publicKeys = getDefaultPublicKeys();
|
|
|
|
Activity act(*logger, actVerifyPaths);
|
|
|
|
std::atomic<size_t> done{0};
|
|
std::atomic<size_t> untrusted{0};
|
|
std::atomic<size_t> corrupted{0};
|
|
std::atomic<size_t> failed{0};
|
|
std::atomic<size_t> active{0};
|
|
|
|
auto update = [&]() {
|
|
act.progress(done, storePaths.size(), active, failed);
|
|
};
|
|
|
|
ThreadPool pool;
|
|
|
|
auto doPath = [&](const Path & storePath) {
|
|
try {
|
|
checkInterrupt();
|
|
|
|
Activity act2(*logger, lvlInfo, actUnknown, fmt("checking '%s'", storePath));
|
|
|
|
MaintainCount<std::atomic<size_t>> mcActive(active);
|
|
update();
|
|
|
|
auto info = store->queryPathInfo(store->parseStorePath(storePath));
|
|
|
|
if (!noContents) {
|
|
|
|
std::unique_ptr<AbstractHashSink> hashSink;
|
|
if (info->ca == "")
|
|
hashSink = std::make_unique<HashSink>(info->narHash.type);
|
|
else
|
|
hashSink = std::make_unique<HashModuloSink>(info->narHash.type, storePathToHash(store->printStorePath(info->path)));
|
|
|
|
store->narFromPath(info->path, *hashSink);
|
|
|
|
auto hash = hashSink->finish();
|
|
|
|
if (hash.first != info->narHash) {
|
|
corrupted++;
|
|
act2.result(resCorruptedPath, store->printStorePath(info->path));
|
|
printError(
|
|
"path '%s' was modified! expected hash '%s', got '%s'",
|
|
store->printStorePath(info->path), info->narHash.to_string(), hash.first.to_string());
|
|
}
|
|
|
|
}
|
|
|
|
if (!noTrust) {
|
|
|
|
bool good = false;
|
|
|
|
if (info->ultimate && !sigsNeeded)
|
|
good = true;
|
|
|
|
else {
|
|
|
|
StringSet sigsSeen;
|
|
size_t actualSigsNeeded = std::max(sigsNeeded, (size_t) 1);
|
|
size_t validSigs = 0;
|
|
|
|
auto doSigs = [&](StringSet sigs) {
|
|
for (auto sig : sigs) {
|
|
if (!sigsSeen.insert(sig).second) continue;
|
|
if (validSigs < ValidPathInfo::maxSigs && info->checkSignature(*store, publicKeys, sig))
|
|
validSigs++;
|
|
}
|
|
};
|
|
|
|
if (info->isContentAddressed(*store)) validSigs = ValidPathInfo::maxSigs;
|
|
|
|
doSigs(info->sigs);
|
|
|
|
for (auto & store2 : substituters) {
|
|
if (validSigs >= actualSigsNeeded) break;
|
|
try {
|
|
auto info2 = store2->queryPathInfo(info->path);
|
|
if (info2->isContentAddressed(*store)) validSigs = ValidPathInfo::maxSigs;
|
|
doSigs(info2->sigs);
|
|
} catch (InvalidPath &) {
|
|
} catch (Error & e) {
|
|
printError(format(ANSI_RED "error:" ANSI_NORMAL " %s") % e.what());
|
|
}
|
|
}
|
|
|
|
if (validSigs >= actualSigsNeeded)
|
|
good = true;
|
|
}
|
|
|
|
if (!good) {
|
|
untrusted++;
|
|
act2.result(resUntrustedPath, store->printStorePath(info->path));
|
|
printError("path '%s' is untrusted", store->printStorePath(info->path));
|
|
}
|
|
|
|
}
|
|
|
|
done++;
|
|
|
|
} catch (Error & e) {
|
|
printError(format(ANSI_RED "error:" ANSI_NORMAL " %s") % e.what());
|
|
failed++;
|
|
}
|
|
|
|
update();
|
|
};
|
|
|
|
for (auto & storePath : storePaths)
|
|
pool.enqueue(std::bind(doPath, store->printStorePath(storePath)));
|
|
|
|
pool.process();
|
|
|
|
throw Exit(
|
|
(corrupted ? 1 : 0) |
|
|
(untrusted ? 2 : 0) |
|
|
(failed ? 4 : 0));
|
|
}
|
|
};
|
|
|
|
static auto r1 = registerCommand<CmdVerify>("verify");
|