aboutsummaryrefslogtreecommitdiff
path: root/src/libstore
diff options
context:
space:
mode:
authorEelco Dolstra <eelco.dolstra@logicblox.com>2016-04-07 14:14:06 +0200
committerEelco Dolstra <eelco.dolstra@logicblox.com>2016-04-07 15:16:57 +0200
commite39999ed48f7bce81555d1cd58918e59dffcf922 (patch)
treeebc9697051bf2596b108ba310bf27a021c5177b1 /src/libstore
parentdc82160164d6c74586b448a13443c19b5a6709c1 (diff)
Sign locally-built paths
Locally-built paths are now signed automatically using the secret keys specified by the ‘secret-key-files’ option.
Diffstat (limited to 'src/libstore')
-rw-r--r--src/libstore/build.cc3
-rw-r--r--src/libstore/local-store.cc16
-rw-r--r--src/libstore/local-store.hh6
3 files changed, 24 insertions, 1 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index 31c321c83..1a51d0ec4 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -2748,6 +2748,7 @@ void DerivationGoal::registerOutputs()
trusted. */
if (!info.ultimate) {
info.ultimate = true;
+ worker.store.signPathInfo(info);
worker.store.registerValidPaths({info});
}
@@ -2808,6 +2809,8 @@ void DerivationGoal::registerOutputs()
info.references = references;
info.deriver = drvPath;
info.ultimate = true;
+ worker.store.signPathInfo(info);
+
infos.push_back(info);
}
diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc
index 28e340af7..713ff49be 100644
--- a/src/libstore/local-store.cc
+++ b/src/libstore/local-store.cc
@@ -310,7 +310,7 @@ void LocalStore::openDB(bool create)
/* Prepare SQL statements. */
stmtRegisterValidPath.create(db,
- "insert into ValidPaths (path, hash, registrationTime, deriver, narSize, ultimate) values (?, ?, ?, ?, ?, ?);");
+ "insert into ValidPaths (path, hash, registrationTime, deriver, narSize, ultimate, sigs) values (?, ?, ?, ?, ?, ?, ?);");
stmtUpdatePathInfo.create(db,
"update ValidPaths set narSize = ?, hash = ?, ultimate = ?, sigs = ? where path = ?;");
stmtAddReference.create(db,
@@ -547,6 +547,7 @@ uint64_t LocalStore::addValidPath(const ValidPathInfo & info, bool checkOutputs)
(info.deriver, info.deriver != "")
(info.narSize, info.narSize != 0)
(info.ultimate ? 1 : 0, info.ultimate)
+ (concatStringsSep(" ", info.sigs), !info.sigs.empty())
.exec();
uint64_t id = sqlite3_last_insert_rowid(db);
@@ -1710,4 +1711,17 @@ void LocalStore::addSignatures(const Path & storePath, const StringSet & sigs)
}
+void LocalStore::signPathInfo(ValidPathInfo & info)
+{
+ // FIXME: keep secret keys in memory.
+
+ auto secretKeyFiles = settings.get("secret-key-files", Strings());
+
+ for (auto & secretKeyFile : secretKeyFiles) {
+ SecretKey secretKey(readFile(secretKeyFile));
+ info.sign(secretKey);
+ }
+}
+
+
}
diff --git a/src/libstore/local-store.hh b/src/libstore/local-store.hh
index ec8146e68..615e3d76c 100644
--- a/src/libstore/local-store.hh
+++ b/src/libstore/local-store.hh
@@ -301,6 +301,12 @@ private:
// Internal versions that are not wrapped in retry_sqlite.
bool isValidPath_(const Path & path);
void queryReferrers_(const Path & path, PathSet & referrers);
+
+ /* Add signatures to a ValidPathInfo using the secret keys
+ specified by the ‘secret-key-files’ option. */
+ void signPathInfo(ValidPathInfo & info);
+
+ friend class DerivationGoal;
};