aboutsummaryrefslogtreecommitdiff
path: root/tests/signing.sh
diff options
context:
space:
mode:
authorEelco Dolstra <edolstra@gmail.com>2017-11-20 19:02:57 +0100
committerEelco Dolstra <edolstra@gmail.com>2017-11-20 19:02:57 +0100
commit0c9718aabc2dda4647e29213a26708eacd71e963 (patch)
treecc2075cba2681c52c2c4b3812cadf39fc195e891 /tests/signing.sh
parent8df60b4ea8fab5fd3571e55de95a4b956f0f6105 (diff)
Add tests for signature checking when copying between local stores
Diffstat (limited to 'tests/signing.sh')
-rw-r--r--tests/signing.sh20
1 files changed, 20 insertions, 0 deletions
diff --git a/tests/signing.sh b/tests/signing.sh
index 39aaa1e76..221dfa35e 100644
--- a/tests/signing.sh
+++ b/tests/signing.sh
@@ -66,3 +66,23 @@ nix sign-paths --store file://$cacheDir --key-file $TEST_ROOT/sk2 $outPath2
info=$(nix path-info --store file://$cacheDir --json $outPath2)
[[ $info =~ 'cache1.example.org' ]]
[[ $info =~ 'cache2.example.org' ]]
+
+# Copying to a diverted store should fail due to a lack of valid signatures.
+chmod -R u+w $TEST_ROOT/store0 || true
+rm -rf $TEST_ROOT/store0
+(! nix copy --to $TEST_ROOT/store0 $outPath)
+
+# But succeed if we supply the public keys.
+(nix copy --to $TEST_ROOT/store0 $outPath --trusted-public-keys $pk1)
+
+expect 2 nix verify --store $TEST_ROOT/store0 -r $outPath
+
+nix verify --store $TEST_ROOT/store0 -r $outPath --trusted-public-keys $pk1
+nix verify --store $TEST_ROOT/store0 -r $outPath --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
+
+# It should also succeed if we disable signature checking.
+(! nix copy --to $TEST_ROOT/store0 $outPath2)
+nix copy --to $TEST_ROOT/store0?require-sigs=false $outPath2
+
+# But signatures should still get copied.
+nix verify --store $TEST_ROOT/store0 -r $outPath2 --trusted-public-keys $pk1