commit 7786c1d8e34028de055084d954f70bf74ca5eba4 Author: Jade Lovelace Date: Tue Aug 20 22:55:31 2024 -0700 Sketching diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..de0a651 --- /dev/null +++ b/LICENSE @@ -0,0 +1,288 @@ + EUROPEAN UNION PUBLIC LICENCE v. 1.2 + EUPL © the European Union 2007, 2016 + +This European Union Public Licence (the ‘EUPL’) applies to the Work (as defined +below) which is provided under the terms of this Licence. Any use of the Work, +other than as authorised under this Licence is prohibited (to the extent such +use is covered by a right of the copyright holder of the Work). + +The Work is provided under the terms of this Licence when the Licensor (as +defined below) has placed the following notice immediately following the +copyright notice for the Work: + + Licensed under the EUPL + +or has expressed by any other means his willingness to license under the EUPL. + +1. Definitions + +In this Licence, the following terms have the following meaning: + +- ‘The Licence’: this Licence. + +- ‘The Original Work’: the work or software distributed or communicated by the + Licensor under this Licence, available as Source Code and also as Executable + Code as the case may be. + +- ‘Derivative Works’: the works or software that could be created by the + Licensee, based upon the Original Work or modifications thereof. This Licence + does not define the extent of modification or dependence on the Original Work + required in order to classify a work as a Derivative Work; this extent is + determined by copyright law applicable in the country mentioned in Article 15. + +- ‘The Work’: the Original Work or its Derivative Works. + +- ‘The Source Code’: the human-readable form of the Work which is the most + convenient for people to study and modify. + +- ‘The Executable Code’: any code which has generally been compiled and which is + meant to be interpreted by a computer as a program. + +- ‘The Licensor’: the natural or legal person that distributes or communicates + the Work under the Licence. + +- ‘Contributor(s)’: any natural or legal person who modifies the Work under the + Licence, or otherwise contributes to the creation of a Derivative Work. + +- ‘The Licensee’ or ‘You’: any natural or legal person who makes any usage of + the Work under the terms of the Licence. + +- ‘Distribution’ or ‘Communication’: any act of selling, giving, lending, + renting, distributing, communicating, transmitting, or otherwise making + available, online or offline, copies of the Work or providing access to its + essential functionalities at the disposal of any other natural or legal + person. + +2. Scope of the rights granted by the Licence + +The Licensor hereby grants You a worldwide, royalty-free, non-exclusive, +sublicensable licence to do the following, for the duration of copyright vested +in the Original Work: + +- use the Work in any circumstance and for all usage, +- reproduce the Work, +- modify the Work, and make Derivative Works based upon the Work, +- communicate to the public, including the right to make available or display + the Work or copies thereof to the public and perform publicly, as the case may + be, the Work, +- distribute the Work or copies thereof, +- lend and rent the Work or copies thereof, +- sublicense rights in the Work or copies thereof. + +Those rights can be exercised on any media, supports and formats, whether now +known or later invented, as far as the applicable law permits so. + +In the countries where moral rights apply, the Licensor waives his right to +exercise his moral right to the extent allowed by law in order to make effective +the licence of the economic rights here above listed. + +The Licensor grants to the Licensee royalty-free, non-exclusive usage rights to +any patents held by the Licensor, to the extent necessary to make use of the +rights granted on the Work under this Licence. + +3. Communication of the Source Code + +The Licensor may provide the Work either in its Source Code form, or as +Executable Code. If the Work is provided as Executable Code, the Licensor +provides in addition a machine-readable copy of the Source Code of the Work +along with each copy of the Work that the Licensor distributes or indicates, in +a notice following the copyright notice attached to the Work, a repository where +the Source Code is easily and freely accessible for as long as the Licensor +continues to distribute or communicate the Work. + +4. Limitations on copyright + +Nothing in this Licence is intended to deprive the Licensee of the benefits from +any exception or limitation to the exclusive rights of the rights owners in the +Work, of the exhaustion of those rights or of other applicable limitations +thereto. + +5. Obligations of the Licensee + +The grant of the rights mentioned above is subject to some restrictions and +obligations imposed on the Licensee. Those obligations are the following: + +Attribution right: The Licensee shall keep intact all copyright, patent or +trademarks notices and all notices that refer to the Licence and to the +disclaimer of warranties. The Licensee must include a copy of such notices and a +copy of the Licence with every copy of the Work he/she distributes or +communicates. The Licensee must cause any Derivative Work to carry prominent +notices stating that the Work has been modified and the date of modification. + +Copyleft clause: If the Licensee distributes or communicates copies of the +Original Works or Derivative Works, this Distribution or Communication will be +done under the terms of this Licence or of a later version of this Licence +unless the Original Work is expressly distributed only under this version of the +Licence — for example by communicating ‘EUPL v. 1.2 only’. The Licensee +(becoming Licensor) cannot offer or impose any additional terms or conditions on +the Work or Derivative Work that alter or restrict the terms of the Licence. + +Compatibility clause: If the Licensee Distributes or Communicates Derivative +Works or copies thereof based upon both the Work and another work licensed under +a Compatible Licence, this Distribution or Communication can be done under the +terms of this Compatible Licence. For the sake of this clause, ‘Compatible +Licence’ refers to the licences listed in the appendix attached to this Licence. +Should the Licensee's obligations under the Compatible Licence conflict with +his/her obligations under this Licence, the obligations of the Compatible +Licence shall prevail. + +Provision of Source Code: When distributing or communicating copies of the Work, +the Licensee will provide a machine-readable copy of the Source Code or indicate +a repository where this Source will be easily and freely available for as long +as the Licensee continues to distribute or communicate the Work. + +Legal Protection: This Licence does not grant permission to use the trade names, +trademarks, service marks, or names of the Licensor, except as required for +reasonable and customary use in describing the origin of the Work and +reproducing the content of the copyright notice. + +6. Chain of Authorship + +The original Licensor warrants that the copyright in the Original Work granted +hereunder is owned by him/her or licensed to him/her and that he/she has the +power and authority to grant the Licence. + +Each Contributor warrants that the copyright in the modifications he/she brings +to the Work are owned by him/her or licensed to him/her and that he/she has the +power and authority to grant the Licence. + +Each time You accept the Licence, the original Licensor and subsequent +Contributors grant You a licence to their contributions to the Work, under the +terms of this Licence. + +7. Disclaimer of Warranty + +The Work is a work in progress, which is continuously improved by numerous +Contributors. It is not a finished work and may therefore contain defects or +‘bugs’ inherent to this type of development. + +For the above reason, the Work is provided under the Licence on an ‘as is’ basis +and without warranties of any kind concerning the Work, including without +limitation merchantability, fitness for a particular purpose, absence of defects +or errors, accuracy, non-infringement of intellectual property rights other than +copyright as stated in Article 6 of this Licence. + +This disclaimer of warranty is an essential part of the Licence and a condition +for the grant of any rights to the Work. + +8. Disclaimer of Liability + +Except in the cases of wilful misconduct or damages directly caused to natural +persons, the Licensor will in no event be liable for any direct or indirect, +material or moral, damages of any kind, arising out of the Licence or of the use +of the Work, including without limitation, damages for loss of goodwill, work +stoppage, computer failure or malfunction, loss of data or any commercial +damage, even if the Licensor has been advised of the possibility of such damage. +However, the Licensor will be liable under statutory product liability laws as +far such laws apply to the Work. + +9. Additional agreements + +While distributing the Work, You may choose to conclude an additional agreement, +defining obligations or services consistent with this Licence. However, if +accepting obligations, You may act only on your own behalf and on your sole +responsibility, not on behalf of the original Licensor or any other Contributor, +and only if You agree to indemnify, defend, and hold each Contributor harmless +for any liability incurred by, or claims asserted against such Contributor by +the fact You have accepted any warranty or additional liability. + +10. Acceptance of the Licence + +The provisions of this Licence can be accepted by clicking on an icon ‘I agree’ +placed under the bottom of a window displaying the text of this Licence or by +affirming consent in any other similar way, in accordance with the rules of +applicable law. Clicking on that icon indicates your clear and irrevocable +acceptance of this Licence and all of its terms and conditions. + +Similarly, you irrevocably accept this Licence and all of its terms and +conditions by exercising any rights granted to You by Article 2 of this Licence, +such as the use of the Work, the creation by You of a Derivative Work or the +Distribution or Communication by You of the Work or copies thereof. + +11. Information to the public + +In case of any Distribution or Communication of the Work by means of electronic +communication by You (for example, by offering to download the Work from a +remote location) the distribution channel or media (for example, a website) must +at least provide to the public the information requested by the applicable law +regarding the Licensor, the Licence and the way it may be accessible, concluded, +stored and reproduced by the Licensee. + +12. Termination of the Licence + +The Licence and the rights granted hereunder will terminate automatically upon +any breach by the Licensee of the terms of the Licence. + +Such a termination will not terminate the licences of any person who has +received the Work from the Licensee under the Licence, provided such persons +remain in full compliance with the Licence. + +13. Miscellaneous + +Without prejudice of Article 9 above, the Licence represents the complete +agreement between the Parties as to the Work. + +If any provision of the Licence is invalid or unenforceable under applicable +law, this will not affect the validity or enforceability of the Licence as a +whole. Such provision will be construed or reformed so as necessary to make it +valid and enforceable. + +The European Commission may publish other linguistic versions or new versions of +this Licence or updated versions of the Appendix, so far this is required and +reasonable, without reducing the scope of the rights granted by the Licence. New +versions of the Licence will be published with a unique version number. + +All linguistic versions of this Licence, approved by the European Commission, +have identical value. Parties can take advantage of the linguistic version of +their choice. + +14. Jurisdiction + +Without prejudice to specific agreement between parties, + +- any litigation resulting from the interpretation of this License, arising + between the European Union institutions, bodies, offices or agencies, as a + Licensor, and any Licensee, will be subject to the jurisdiction of the Court + of Justice of the European Union, as laid down in article 272 of the Treaty on + the Functioning of the European Union, + +- any litigation arising between other parties and resulting from the + interpretation of this License, will be subject to the exclusive jurisdiction + of the competent court where the Licensor resides or conducts its primary + business. + +15. Applicable Law + +Without prejudice to specific agreement between parties, + +- this Licence shall be governed by the law of the European Union Member State + where the Licensor has his seat, resides or has his registered office, + +- this licence shall be governed by Belgian law if the Licensor has no seat, + residence or registered office inside a European Union Member State. + +Appendix + +‘Compatible Licences’ according to Article 5 EUPL are: + +- GNU General Public License (GPL) v. 2, v. 3 +- GNU Affero General Public License (AGPL) v. 3 +- Open Software License (OSL) v. 2.1, v. 3.0 +- Eclipse Public License (EPL) v. 1.0 +- CeCILL v. 2.0, v. 2.1 +- Mozilla Public Licence (MPL) v. 2 +- GNU Lesser General Public Licence (LGPL) v. 2.1, v. 3 +- Creative Commons Attribution-ShareAlike v. 3.0 Unported (CC BY-SA 3.0) for + works other than software +- European Union Public Licence (EUPL) v. 1.1, v. 1.2 +- Québec Free and Open-Source Licence — Reciprocity (LiLiQ-R) or Strong + Reciprocity (LiLiQ-R+). + +The European Commission may update this Appendix to later versions of the above +licences without producing a new version of the EUPL, as long as they provide +the rights granted in Article 2 of this Licence and protect the covered Source +Code from exclusive appropriation. + +All other changes or additions to this Appendix require the production of a new +EUPL version. + diff --git a/README.md b/README.md new file mode 100644 index 0000000..0dd2cee --- /dev/null +++ b/README.md @@ -0,0 +1,133 @@ +# Iron seal + +This is a daemon for re-signing narinfo files from a binary cache. The idea of +this is that we can decouple high value private keys that are hard to rotate +from the data plane of the build infrastructure running untrusted code, +allowing *much* lower value ephemeral private keys to be used on the builders. + +## Worldview + +Iron Seal believes that narinfo files should not be stored in s3 to begin with +since they are tiny text files full of valuable metadata that really ought to +be queryable, so they belong in a database. + +For the initial prototype, narinfos are to be fetched from s3 on-demand and +loaded into the database, in order to allow integration with existing Lix +systems. This is somewhat silly because it means that we have garbage narinfos +that will never be looked at again in s3, but it does mean that iron-seal is +not critical to the future value of the s3 cache. + +narinfos are then serialized on-demand out of the database, with new signatures +added as-required on the fly based on signature rules. Currently this is +assumed to be that all in-date owned keys should sign a path if it was +previously validly signed by a builder or owned key. + +### Remaining questions + +- Can a store path be built multiple times? + - What does this mean for the narinfo? How is that cache invalidated if we + do do such a silly thing? + +### Schema + +#### What's in a narinfo? + +- StorePath: /nix/store/(hash, name) +- Compression: enum of some limited set of values +- URL: nar/FileHash.nar.zst (redundant) +- FileSize: int +- FileHash: (type, nixbase32(digest)) +- NarSize: int +- NarHash: (type, nixbase32(digest)) +- CA: hashtype + hash + type + - text:hashtype:hash + - fixed:r:hashtype:hash + - fixed:hashtype:hash + - hashtype:hash, but it seems to be for legacy stuff only and the code to + make them is Gone??? + - This should be redundant: there are three cases: text, fixed recursive, + fixed, and the hash is always sha256 in practice +- References[]: store path names + + Is it better to denormalize the names or reference ids? Chose to normalize + harder and natural-key the hashes. Then we can enforce there is only one + instance of a name for a given store path. 20 bytes is a kind of silly key + type, but it's not really worse than a 16 byte uuid lol. +- Sig[]: keyname:base64(sig) + +Observations: +- We can compress the living daylights out of this by simply not base64ing + anything and storing binary as binary, as well as removing strings +- Storing references as IDs in a join table would knock even more bytes off of it +- URL is completely redundant +- StorePath is sorta redundant but -> need to be able to lookup by hash + - Split out name + + +``` +~ » curl --compressed https://cache.lix.systems/0018nm26ljlp20g9m22bj55ql9kz3klz.narinfo +StorePath: /nix/store/0018nm26ljlp20g9m22bj55ql9kz3klz-apple-framework-CoreFoundation-11.0.0.drv +URL: nar/1zp24fp4cf01066mrj7dhdmp6zizcahp32xglpw1sg4473bxv0x6.nar.zst +Compression: zstd +FileHash: sha256:1zp24fp4cf01066mrj7dhdmp6zizcahp32xglpw1sg4473bxv0x6 +FileSize: 1429 +NarHash: sha256:135jwl0vl96mx9294ylb1b6y8rlw4bnhyx8zn7pdmsp5md7p5wfm +NarSize: 3776 +References: 5iqpm377dcnzaj0bjip0alh6shvjrfpc-cf-setup-hook.sh 6ag32dimxbc019zm5nx09v40wl1w0ysv-bootstrap-tools.drv a045scfay8yb7xxw36r3glxbx5v7cvyh-rewrite-tbd-unstable-2023-03-27.drv kpp0z1ia13ph5lkypdh5kfcmggj9agpy-bootstrap-stage1-stdenv-darwin.drv r7mhby3fppgh801xkidw9hg6y5wvdab8-libobjc-11.0.0.drv v6x3cs394jgqfbi0a42pam708flxaphh-default-builder.sh v9034cqc4h5bm10z4vz3n1q2n55grv5y-role.bash y171r47m5ryvqnwc5ld0drvq5klnbdcb-MacOSX-SDK-11.0.0.drv +Sig: cache.lix.systems:RwRtAxn0kO0zTa3ESZDI6g8K0F/fhbENKv6K8Yh3+imzBSqtXwjbpRRBnD38caSjaVpa8ws212ZQQelhLdiZAA== +CA: text:sha256:0s9difwgh59k43qlvkqvcwr0jm3qq2yd2zgwmy2gvxjqmjw4hk91 + +~ » curl --compressed https://cache.lix.systems/rwakndmpj9dbr1sh2271g47l7d2fl1zf.narinfo +StorePath: /nix/store/rwakndmpj9dbr1sh2271g47l7d2fl1zf-source +URL: nar/127d2kh80xhlpv14810zb8d9wgxqv125hpy4b1mmnihlj45y861z.nar.zst +Compression: zstd +FileHash: sha256:127d2kh80xhlpv14810zb8d9wgxqv125hpy4b1mmnihlj45y861z +FileSize: 1336187 +NarHash: sha256:0b03rwv7kawsqj3grdjs4dyip02l31x4hll6rbgyx7gvsgn4r2mi +NarSize: 5294376 +References: +Sig: cache.lix.systems:z6sKt0+CMPfOvyyPyAmfisQFH89+gIlLKGT+W5caN46zkPKzQg40T9KUw+ppqB/Gfkhoz4UcRVHzE2VSbbqyBQ== +CA: fixed:r:sha256:0b03rwv7kawsqj3grdjs4dyip02l31x4hll6rbgyx7gvsgn4r2mi + +~ » curl --compressed https://cache.lix.systems/v9034cqc4h5bm10z4vz3n1q2n55grv5y.narinfo +StorePath: /nix/store/v9034cqc4h5bm10z4vz3n1q2n55grv5y-role.bash +URL: nar/0k78kc5xs5kvnz119hrqc8k0lzpv094jzrs7j6i386hl50bw1051.nar.xz +Compression: xz +FileHash: sha256:0k78kc5xs5kvnz119hrqc8k0lzpv094jzrs7j6i386hl50bw1051 +FileSize: 916 +NarHash: sha256:1wm870bpkip4d9xaa8rj2fiapnjz27xkgbycl47av7f64q98502s +NarSize: 2328 +References: +Sig: cache.lix.systems:+9mf0JXUAuhEAEyGE7vfylI+byK1xYNOCrBQiIKDqRNZFNeh0UJC01oWddvoGm3TLmY8bSnVFNxDpBy2ajgaCw== +CA: fixed:r:sha256:1wm870bpkip4d9xaa8rj2fiapnjz27xkgbycl47av7f64q98502s +``` + +An output and its deriver: + +Outputs don't have CA. + +``` +~ » curl --compressed https://cache.lix.systems/ws234x3s0in12ks97miwrrdnfx6iys7w.narinfo +StorePath: /nix/store/ws234x3s0in12ks97miwrrdnfx6iys7w-lix-2.91.0-debug +URL: nar/0767zlbsfp572ikqwv8k2kv0bvdr2kpr2xp3vl6843bhpn89srcf.nar.zst +Compression: zstd +FileHash: sha256:0767zlbsfp572ikqwv8k2kv0bvdr2kpr2xp3vl6843bhpn89srcf +FileSize: 149517914 +NarHash: sha256:0nv4qv7yy82l2w3sgkfc6ax3s5mv5hffwgbjp45wji6vcpn48639 +NarSize: 152916192 +References: +Deriver: iz2nhchdh0dl96z591maai3f5hnl9jd9-lix-2.91.0.drv +Sig: cache.lix.systems:AxW+LHBGOFAqNhN5esqu/jNDASq9q4HQZ1uetf+8m9UC7uXNgfzTWMvWjNHzc2cbiLFN4Lv8wTxaGCW6CqSTAQ== + +~ » curl --compressed https://cache.lix.systems/iz2nhchdh0dl96z591maai3f5hnl9jd9.narinfo +StorePath: /nix/store/iz2nhchdh0dl96z591maai3f5hnl9jd9-lix-2.91.0.drv +URL: nar/1zrhxs2md2ppharrdgm4pzf67n9ngvrd0k7swchvvqqnxs2zg0cn.nar.zst +Compression: zstd +FileHash: sha256:1zrhxs2md2ppharrdgm4pzf67n9ngvrd0k7swchvvqqnxs2zg0cn +FileSize: 3826 +NarHash: sha256:152viw7i9iq9nql205i6xx1w1x3pz4pyd5k1l2rffnz8mws1skrf +NarSize: 8696 +References: 02whz8bddsbc1fc3z4lp9r5d93gfi19b-jq-1.7.1.drv 09xdqf5vm3671iw83hq83ra55211zisl-gcc-13.2.0.drv 12l2v3kmacnpmx14p2345kk41fpv31rw-separate-debug-info.sh 1gk1c7x53fa5wqcqcwayagvblzinn8rx-openssl-3.0.14.drv 1h6y345b14l439y668mgfmhp7x611vsn-pkg-config-wrapper-0.29.2.drv 1z8izdpyzhd23nk2amhsyfkmphzajcc5-rapidcheck-0-unstable-2023-12-14.drv 24z6w1l9pfjixbp57q0vz98njvk53mdb-bzip2-1.0.8.drv 2q0p6sd6994k99x3cw6xvg9wlb9b2hym-sqlite-3.45.3.drv 377zz3y35n2aqzj39rxxvki5nw4jn32a-meson-1.4.1.drv 49wp9a3ldgyf8zr3875bpznr1vgb2cp9-mercurial-6.6.3.drv 5246sqmc35hxwxi905vz14wq9bg7ss13-util-linux-minimal-2.39.4.drv 5r7dangpzlqbh9qikfvcy2hkcr9dfn2i-libseccomp-2.5.5.drv 6fxk6xxg5r25glpychiwii4913wzkv0j-toml11-3.7.1.drv 7vgvm6maz2q40c5600ig0470hzmyvi2y-ninja-1.11.1.drv 8yb3slw042zr414dw6cnsjs7jz3b3d3d-mdbook-linkcheck-0.7.7.drv 98hyrmv2d8s133y0gfg7v4bz2g26lnzh-gtest-1.14.0.drv c89v384z3l833ykvjxc05y89jyqimpk2-cmake-3.29.2.drv cl2aa2ixggw275v1mfq9qxnna95pssvg-brotli-1.1.0.drv d58bmmhv8zzv18hf0mi57jgqj4fmnkgi-lowdown-1.1.0.drv dl3158bk4h8fahfgddvd5hjg4mnayddi-boost-1.81.0.drv fw3srq3319h1c3b10bi51sj68zhgl4wh-aws-sdk-cpp-1.11.318.drv g45hm2v7cjjsbm8z1hzma5ybbg2l9igw-editline-1.17.1.drv gvf4apg8zc1hg27409mb62fsvw5x1n0i-lsof-4.99.3.drv ibvns8id2frl8lg02gpyhvrav38dx1pm-pegtl-3.2.7.drv iwc1b7yk89rr37j546hgs6hfw9h2zfdc-busybox-static-aarch64-unknown-linux-musl-1.36.1.drv ix79ffj7sdnllcb06bry8ahqmjmh3hkh-git-2.44.1.drv iy52yascwcmgwm4q7x0vhgwig6g1q2qn-nlohmann_json-3.11.3.drv kfibsc08liqs0f3sm2wfha0qv0c0nfa3-libsodium-1.0.19.drv m7sjf5692xdv77rmp1mr947kvkr24zkf-python3-3.11.9.drv n8bzpa0g4zqlb1l463yr6gjwj9alb4lx-boehm-gc-8.2.6.drv nd47yjmilyhjkx77lvqg20izc9l7kvhs-mdbook-0.4.37.drv nnak6v9iccf7rsvw21wbwrqq2k8s780d-lix-doc.drv ridfqdfrv7hbrka1swxrnv3apgrvi2b6-bash-5.2p26.drv rwakndmpj9dbr1sh2271g47l7d2fl1zf-source rzb066q38jcjm223c07x6nlqibbgbq7i-libarchive-3.7.4.drv v6x3cs394jgqfbi0a42pam708flxaphh-default-builder.sh vpy0352yk1vl1l1dhmr4yhyhvcnig2xw-stdenv-linux.drv wcyypaafk1mzm47rwhbcmx481q43j4s4-xz-5.4.7.drv xp1bywj9afd809zmcyc5g9y66paxgqav-curl-8.7.1.drv +Sig: cache.lix.systems:yauNRyXEq2heiwJASbT14kDBnK0hrEMKQgDf1eb78e5m4xaQDun1ZcvMKRoa2K8JFuN+UjESH4h83Ndx4N8bDg== +CA: text:sha256:18gfki09lpdnqpxwdjdw8nmq1ryzyc0dhncgi5yvb9qvlphgyj3m +``` diff --git a/schema.sql b/schema.sql new file mode 100644 index 0000000..be3d45b --- /dev/null +++ b/schema.sql @@ -0,0 +1,110 @@ +begin transaction; + +create domain NixPath as bytea + check (length(value) = 20); +create domain SHA256Hash as bytea + check (length(value) = 16); +create domain Ed25519Public as bytea + check (length(value) = 32); +create domain SignatureBytes as bytea + check (length(value) = 64); + +create table PathName ( + hash NixPath not null primary key, + -- Split off into a separate PathName table since a reference only requires + -- a PathName exists but not necessarily a full NarInfo + name text not null +); + +-- Yoinked from https://git.lix.systems/lix-project/lix/src/e34833c0253340f47dc0add8609eb86cf9cba19b/src/libstore/binary-cache-store.cc#L151-L158 +create type Compression as enum ( + 'none', + 'bzip2', + 'zstd', + 'xz', + 'lzip', + 'lz4', + 'br' +); + +-- There are no non sha256 CA hashes in the wild and we can honestly just tell anyone sending us one to go away +create type CAType as enum ( + 'textsha256', + 'fixedrecsha256', + 'fixedflatsha256' +); + +create table NarInfo ( + -- URL not needed (derivable from file_hash and compression) + file_size bigint not null, + nar_size bigint not null, + + hash NixPath primary key not null references PathName(hash), + file_hash SHA256Hash not null, + nar_hash SHA256Hash not null, + ca_hash SHA256Hash, + + compression Compression not null, + ca_type CAType +); + +create table Reference ( + target NixPath not null references PathName(hash), + by_narinfo NixPath not null references NarInfo(hash), + primary key (target, by_narinfo) +); + +create index reference_by_target on Reference using hash (target); +create index reference_by_referencer on Reference using hash (by_narinfo); + +create table KeyName ( + id serial primary key, + name text not null +); + +comment on table KeyName is 'The Nix name for a key, which is often, but not strictly, related to the domain name'; + +-- FIXME: partitioning the system for security? e.g. can we make it so that the app *cannot* mess with public key validity periods? +create table BuilderPublicKey ( + id integer primary key references KeyName(id), + public_key Ed25519Public not null, + comment text, + valid_from timestamptz, + valid_until timestamptz +); + +comment on table BuilderPublicKey is 'Public keys which iron-seal is willing to re-sign paths signed with'; +comment on column BuilderPublicKey.valid_from is 'Signature time when the public key is first trusted for new signatures. If null, from a time in the indefinite past.'; +comment on column BuilderPublicKey.valid_until is 'Signature time when the public key is last trusted for new signatures. If null, to a time in the indefinite future.'; + +create table OwnPublicKey ( + id integer primary key references KeyName(id), + public_key Ed25519Public not null, + comment text, + valid_from timestamptz, + valid_until timestamptz +); + +comment on table OwnPublicKey is 'Public keys which iron-seal will sign paths with during their validity period'; +comment on column OwnPublicKey.valid_from is 'Signature time when the public key will first be used for new signatures. If null, from a time in the indefinite past.'; +comment on column OwnPublicKey.valid_until is 'Signature time when the public key will last be used for new signatures. If null, to a time in the indefinite future.'; + +create table Signature ( + path NixPath references NarInfo(hash), + + id serial primary key, + signer integer not null references KeyName(id), + sig_bytes SignatureBytes not null, + signed_at timestamptz not null +); + +comment on column Signature.signed_at is 'When the path was signed. For s3-sourced paths we have a reliable idea of it if we take the narinfo date as the signature date (and can assume there is no backdating by trusting s3)'; + +create unique index signature_path_only_signed_once on Signature (signer, path); + +-- Definitely want to be able to look up signatures by store path +create index signature_by_path on Signature using hash (path); +-- Definitely want to be able to look up paths signed by a key +create index signature_by_signer on Signature (signer); + +rollback;