Sign locally-built paths

Locally-built paths are now signed automatically using the secret keys
specified by the ‘secret-key-files’ option.

3 files changed, 24 insertions, 1 deletions

diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index 31c321c83..1a51d0ec4 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -2748,6 +2748,7 @@ void DerivationGoal::registerOutputs()
                trusted. */
             if (!info.ultimate) {
                 info.ultimate = true;
+                worker.store.signPathInfo(info);
                 worker.store.registerValidPaths({info});
             }
 
@@ -2808,6 +2809,8 @@ void DerivationGoal::registerOutputs()
         info.references = references;
         info.deriver = drvPath;
         info.ultimate = true;
+        worker.store.signPathInfo(info);
+
         infos.push_back(info);
     }
 
diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc
index 28e340af7..713ff49be 100644
--- a/src/libstore/local-store.cc
+++ b/src/libstore/local-store.cc
@@ -310,7 +310,7 @@ void LocalStore::openDB(bool create)
 
     /* Prepare SQL statements. */
     stmtRegisterValidPath.create(db,
-        "insert into ValidPaths (path, hash, registrationTime, deriver, narSize, ultimate) values (?, ?, ?, ?, ?, ?);");
+        "insert into ValidPaths (path, hash, registrationTime, deriver, narSize, ultimate, sigs) values (?, ?, ?, ?, ?, ?, ?);");
     stmtUpdatePathInfo.create(db,
         "update ValidPaths set narSize = ?, hash = ?, ultimate = ?, sigs = ? where path = ?;");
     stmtAddReference.create(db,
@@ -547,6 +547,7 @@ uint64_t LocalStore::addValidPath(const ValidPathInfo & info, bool checkOutputs)
         (info.deriver, info.deriver != "")
         (info.narSize, info.narSize != 0)
         (info.ultimate ? 1 : 0, info.ultimate)
+        (concatStringsSep(" ", info.sigs), !info.sigs.empty())
         .exec();
     uint64_t id = sqlite3_last_insert_rowid(db);
 
@@ -1710,4 +1711,17 @@ void LocalStore::addSignatures(const Path & storePath, const StringSet & sigs)
 }
 
 
+void LocalStore::signPathInfo(ValidPathInfo & info)
+{
+    // FIXME: keep secret keys in memory.
+
+    auto secretKeyFiles = settings.get("secret-key-files", Strings());
+
+    for (auto & secretKeyFile : secretKeyFiles) {
+        SecretKey secretKey(readFile(secretKeyFile));
+        info.sign(secretKey);
+    }
+}
+
+
 }
diff --git a/src/libstore/local-store.hh b/src/libstore/local-store.hh
index ec8146e68..615e3d76c 100644
--- a/src/libstore/local-store.hh
+++ b/src/libstore/local-store.hh
@@ -301,6 +301,12 @@ private:
     // Internal versions that are not wrapped in retry_sqlite.
     bool isValidPath_(const Path & path);
     void queryReferrers_(const Path & path, PathSet & referrers);
+
+    /* Add signatures to a ValidPathInfo using the secret keys
+       specified by the ‘secret-key-files’ option. */
+    void signPathInfo(ValidPathInfo & info);
+
+    friend class DerivationGoal;
 };