forked from lix-project/lix
Re-implement binary cache signature checking
This is now done in LocalStore::addToStore(), rather than in the binary cache substituter (which no longer exists).
This commit is contained in:
parent
12ddbad458
commit
3593c8285d
3 changed files with 10 additions and 1 deletions
|
@ -58,6 +58,8 @@ LocalStore::LocalStore()
|
||||||
: linksDir(settings.nixStore + "/.links")
|
: linksDir(settings.nixStore + "/.links")
|
||||||
, reservedPath(settings.nixDBPath + "/reserved")
|
, reservedPath(settings.nixDBPath + "/reserved")
|
||||||
, schemaPath(settings.nixDBPath + "/schema")
|
, schemaPath(settings.nixDBPath + "/schema")
|
||||||
|
, requireSigs(settings.get("signed-binary-caches", std::string("")) != "") // FIXME: rename option
|
||||||
|
, publicKeys(getDefaultPublicKeys())
|
||||||
{
|
{
|
||||||
auto state(_state.lock());
|
auto state(_state.lock());
|
||||||
|
|
||||||
|
@ -909,6 +911,9 @@ void LocalStore::addToStore(const ValidPathInfo & info, const std::string & nar,
|
||||||
throw Error(format("hash mismatch importing path ‘%s’; expected hash ‘%s’, got ‘%s’") %
|
throw Error(format("hash mismatch importing path ‘%s’; expected hash ‘%s’, got ‘%s’") %
|
||||||
info.path % info.narHash.to_string() % h.to_string());
|
info.path % info.narHash.to_string() % h.to_string());
|
||||||
|
|
||||||
|
if (requireSigs && !info.checkSignatures(publicKeys))
|
||||||
|
throw Error(format("cannot import path ‘%s’ because it lacks a valid signature") % info.path);
|
||||||
|
|
||||||
addTempRoot(info.path);
|
addTempRoot(info.path);
|
||||||
|
|
||||||
if (repair || !isValidPath(info.path)) {
|
if (repair || !isValidPath(info.path)) {
|
||||||
|
|
|
@ -77,6 +77,10 @@ private:
|
||||||
const Path reservedPath;
|
const Path reservedPath;
|
||||||
const Path schemaPath;
|
const Path schemaPath;
|
||||||
|
|
||||||
|
bool requireSigs;
|
||||||
|
|
||||||
|
PublicKeys publicKeys;
|
||||||
|
|
||||||
public:
|
public:
|
||||||
|
|
||||||
/* Initialise the local store, upgrading the schema if
|
/* Initialise the local store, upgrading the schema if
|
||||||
|
|
|
@ -85,7 +85,7 @@ clearStore
|
||||||
rm $(grep -l "StorePath:.*dependencies-input-2" $cacheDir/*.narinfo)
|
rm $(grep -l "StorePath:.*dependencies-input-2" $cacheDir/*.narinfo)
|
||||||
|
|
||||||
nix-build --option binary-caches "file://$cacheDir" dependencies.nix -o $TEST_ROOT/result 2>&1 | tee $TEST_ROOT/log
|
nix-build --option binary-caches "file://$cacheDir" dependencies.nix -o $TEST_ROOT/result 2>&1 | tee $TEST_ROOT/log
|
||||||
grep -q "Downloading" $TEST_ROOT/log
|
grep -q "fetching path" $TEST_ROOT/log
|
||||||
|
|
||||||
|
|
||||||
if [ -n "$HAVE_SODIUM" ]; then
|
if [ -n "$HAVE_SODIUM" ]; then
|
||||||
|
|
Loading…
Reference in a new issue