From a598fe7e817e116cdf4d3202458d138202e869f1 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Wed, 8 Jan 2014 15:19:17 +0100
Subject: [PATCH] Allow Hydra's binary cache to be signed

This requires adding the following to hydra.conf:

  binary_cache_key_name = <key-name>
  binary_cache_private_key_file = <path-to-private-key>

e.g.

  binary_cache_key_name = hydra.nixos.org-1
  binary_cache_private_key_file = /home/hydra/cache-key.sec
---
 src/lib/Hydra/View/NARInfo.pm | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/lib/Hydra/View/NARInfo.pm b/src/lib/Hydra/View/NARInfo.pm
index 00dd6a68..b2532500 100644
--- a/src/lib/Hydra/View/NARInfo.pm
+++ b/src/lib/Hydra/View/NARInfo.pm
@@ -4,6 +4,7 @@ use strict;
 use base qw/Catalyst::View/;
 use File::Basename;
 use Nix::Store;
+use Nix::Crypto;
 
 sub process {
     my ($self, $c) = @_;
@@ -29,6 +30,15 @@ sub process {
         }
     }
 
+    # Optionally, sign the NAR info file we just created.
+    my $privateKeyFile = $c->config->{binary_cache_private_key_file};
+    my $keyName = $c->config->{binary_cache_key_name};
+
+    if (defined $privateKeyFile && defined $keyName) {
+        my $sig = signString($privateKeyFile, $info);
+        $info .= "Signature: 1;$keyName;$sig\n";
+    }
+
     $c->response->body($info);
 
     return 1;