forked from lix-project/hydra
Allow Hydra's binary cache to be signed
This requires adding the following to hydra.conf: binary_cache_key_name = <key-name> binary_cache_private_key_file = <path-to-private-key> e.g. binary_cache_key_name = hydra.nixos.org-1 binary_cache_private_key_file = /home/hydra/cache-key.sec
This commit is contained in:
parent
de26b55afe
commit
a598fe7e81
1 changed files with 10 additions and 0 deletions
|
@ -4,6 +4,7 @@ use strict;
|
|||
use base qw/Catalyst::View/;
|
||||
use File::Basename;
|
||||
use Nix::Store;
|
||||
use Nix::Crypto;
|
||||
|
||||
sub process {
|
||||
my ($self, $c) = @_;
|
||||
|
@ -29,6 +30,15 @@ sub process {
|
|||
}
|
||||
}
|
||||
|
||||
# Optionally, sign the NAR info file we just created.
|
||||
my $privateKeyFile = $c->config->{binary_cache_private_key_file};
|
||||
my $keyName = $c->config->{binary_cache_key_name};
|
||||
|
||||
if (defined $privateKeyFile && defined $keyName) {
|
||||
my $sig = signString($privateKeyFile, $info);
|
||||
$info .= "Signature: 1;$keyName;$sig\n";
|
||||
}
|
||||
|
||||
$c->response->body($info);
|
||||
|
||||
return 1;
|
||||
|
|
Loading…
Reference in a new issue