Sign locally-built paths

Locally-built paths are now signed automatically using the secret keys
specified by the ‘secret-key-files’ option.
This commit is contained in:
Eelco Dolstra 2016-04-07 14:14:06 +02:00
parent dc82160164
commit e39999ed48
3 changed files with 24 additions and 1 deletions

View file

@ -2748,6 +2748,7 @@ void DerivationGoal::registerOutputs()
trusted. */ trusted. */
if (!info.ultimate) { if (!info.ultimate) {
info.ultimate = true; info.ultimate = true;
worker.store.signPathInfo(info);
worker.store.registerValidPaths({info}); worker.store.registerValidPaths({info});
} }
@ -2808,6 +2809,8 @@ void DerivationGoal::registerOutputs()
info.references = references; info.references = references;
info.deriver = drvPath; info.deriver = drvPath;
info.ultimate = true; info.ultimate = true;
worker.store.signPathInfo(info);
infos.push_back(info); infos.push_back(info);
} }

View file

@ -310,7 +310,7 @@ void LocalStore::openDB(bool create)
/* Prepare SQL statements. */ /* Prepare SQL statements. */
stmtRegisterValidPath.create(db, stmtRegisterValidPath.create(db,
"insert into ValidPaths (path, hash, registrationTime, deriver, narSize, ultimate) values (?, ?, ?, ?, ?, ?);"); "insert into ValidPaths (path, hash, registrationTime, deriver, narSize, ultimate, sigs) values (?, ?, ?, ?, ?, ?, ?);");
stmtUpdatePathInfo.create(db, stmtUpdatePathInfo.create(db,
"update ValidPaths set narSize = ?, hash = ?, ultimate = ?, sigs = ? where path = ?;"); "update ValidPaths set narSize = ?, hash = ?, ultimate = ?, sigs = ? where path = ?;");
stmtAddReference.create(db, stmtAddReference.create(db,
@ -547,6 +547,7 @@ uint64_t LocalStore::addValidPath(const ValidPathInfo & info, bool checkOutputs)
(info.deriver, info.deriver != "") (info.deriver, info.deriver != "")
(info.narSize, info.narSize != 0) (info.narSize, info.narSize != 0)
(info.ultimate ? 1 : 0, info.ultimate) (info.ultimate ? 1 : 0, info.ultimate)
(concatStringsSep(" ", info.sigs), !info.sigs.empty())
.exec(); .exec();
uint64_t id = sqlite3_last_insert_rowid(db); uint64_t id = sqlite3_last_insert_rowid(db);
@ -1710,4 +1711,17 @@ void LocalStore::addSignatures(const Path & storePath, const StringSet & sigs)
} }
void LocalStore::signPathInfo(ValidPathInfo & info)
{
// FIXME: keep secret keys in memory.
auto secretKeyFiles = settings.get("secret-key-files", Strings());
for (auto & secretKeyFile : secretKeyFiles) {
SecretKey secretKey(readFile(secretKeyFile));
info.sign(secretKey);
}
}
} }

View file

@ -301,6 +301,12 @@ private:
// Internal versions that are not wrapped in retry_sqlite. // Internal versions that are not wrapped in retry_sqlite.
bool isValidPath_(const Path & path); bool isValidPath_(const Path & path);
void queryReferrers_(const Path & path, PathSet & referrers); void queryReferrers_(const Path & path, PathSet & referrers);
/* Add signatures to a ValidPathInfo using the secret keys
specified by the secret-key-files option. */
void signPathInfo(ValidPathInfo & info);
friend class DerivationGoal;
}; };