From f1e5dedb611d39ecc600fccb4eba4b0de730c5fc Mon Sep 17 00:00:00 2001 From: Petr Rockai Date: Sun, 24 Nov 2013 21:22:23 +0100 Subject: perl: Call loadConfFile() in doInit to avoid screwing sqlite journal mode. If the database is opened through perl bindings (and even though nix.conf has use-sqlite-wal set to false), the database is automatically converted into WAL mode. This makes the next nix process to access the database convert it back to "truncate". If the database is still open at the time in wal mode by the perl program, this fails and crashes the nix doing the wal -> truncate conversion. --- perl/lib/Nix/Store.xs | 2 ++ 1 file changed, 2 insertions(+) (limited to 'perl/lib/Nix') diff --git a/perl/lib/Nix/Store.xs b/perl/lib/Nix/Store.xs index c449ed524..d46af57e6 100644 --- a/perl/lib/Nix/Store.xs +++ b/perl/lib/Nix/Store.xs @@ -20,6 +20,8 @@ void doInit() if (!store) { try { settings.processEnvironment(); + settings.loadConfFile(); + settings.update(); settings.lockCPU = false; store = openStore(); } catch (Error & e) { -- cgit v1.2.3 From 0fdf4da0e979f992db75cc17376e455ddc5a96d8 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 8 Jan 2014 15:23:41 +0100 Subject: Support cryptographically signed binary caches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit NAR info files in binary caches can now have a cryptographic signature that Nix will verify before using the corresponding NAR file. To create a private/public key pair for signing and verifying a binary cache, do: $ openssl genrsa -out ./cache-key.sec 2048 $ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub You should also come up with a symbolic name for the key, such as "cache.example.org-1". This will be used by clients to look up the public key. (It's a good idea to number keys, in case you ever need to revoke/replace one.) To create a binary cache signed with the private key: $ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1 The public key (cache-key.pub) should be distributed to the clients. They should have a nix.conf should contain something like: signed-binary-caches = * binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub If all works well, then if Nix fetches something from the signed binary cache, you will see a message like: *** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’... On the other hand, if the signature is wrong, you get a message like NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring Signatures are implemented as a single line appended to the NAR info file, which looks like this: Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ== Thus the signature has 3 fields: a version (currently "1"), the ID of key, and the base64-encoded signature of the SHA-256 hash of the contents of the NAR info file up to but not including the Signature line. Issue #75. --- perl/lib/Nix/Config.pm.in | 3 ++- perl/lib/Nix/Crypto.pm | 42 ++++++++++++++++++++++++++++++++++++++++++ perl/lib/Nix/Manifest.pm | 40 +++++++++++++++++++++++++++++++++++++--- 3 files changed, 81 insertions(+), 4 deletions(-) create mode 100644 perl/lib/Nix/Crypto.pm (limited to 'perl/lib/Nix') diff --git a/perl/lib/Nix/Config.pm.in b/perl/lib/Nix/Config.pm.in index 8c902ab6e..4f1f38ddd 100644 --- a/perl/lib/Nix/Config.pm.in +++ b/perl/lib/Nix/Config.pm.in @@ -13,6 +13,7 @@ $storeDir = $ENV{"NIX_STORE_DIR"} || "@storedir@"; $bzip2 = "@bzip2@"; $xz = "@xz@"; $curl = "@curl@"; +$openssl = "@openssl@"; $useBindings = "@perlbindings@" eq "yes"; @@ -32,7 +33,7 @@ sub readConfig { open CONFIG, "<$config" or die "cannot open `$config'"; while () { - /^\s*([\w|-]+)\s*=\s*(.*)$/ or next; + /^\s*([\w\-\.]+)\s*=\s*(.*)$/ or next; $config{$1} = $2; } close CONFIG; diff --git a/perl/lib/Nix/Crypto.pm b/perl/lib/Nix/Crypto.pm new file mode 100644 index 000000000..0286e88d3 --- /dev/null +++ b/perl/lib/Nix/Crypto.pm @@ -0,0 +1,42 @@ +package Nix::Crypto; + +use strict; +use MIME::Base64; +use Nix::Store; +use Nix::Config; +use IPC::Open2; + +our @ISA = qw(Exporter); +our @EXPORT = qw(signString isValidSignature); + +sub signString { + my ($privateKeyFile, $s) = @_; + my $hash = hashString("sha256", 0, $s); + my ($from, $to); + my $pid = open2($from, $to, $Nix::Config::openssl, "rsautl", "-sign", "-inkey", $privateKeyFile); + print $to $hash; + close $to; + local $/ = undef; + my $sig = <$from>; + close $from; + waitpid($pid, 0); + die "$0: OpenSSL returned exit code $? while signing hash\n" if $? != 0; + my $sig64 = encode_base64($sig, ""); + return $sig64; +} + +sub isValidSignature { + my ($publicKeyFile, $sig64, $s) = @_; + my ($from, $to); + my $pid = open2($from, $to, $Nix::Config::openssl, "rsautl", "-verify", "-inkey", $publicKeyFile, "-pubin"); + print $to decode_base64($sig64); + close $to; + my $decoded = <$from>; + close $from; + waitpid($pid, 0); + return 0 if $? != 0; + my $hash = hashString("sha256", 0, $s); + return $decoded eq $hash; +} + +1; diff --git a/perl/lib/Nix/Manifest.pm b/perl/lib/Nix/Manifest.pm index 04c699b43..015c92835 100644 --- a/perl/lib/Nix/Manifest.pm +++ b/perl/lib/Nix/Manifest.pm @@ -8,6 +8,7 @@ use File::stat; use File::Path; use Fcntl ':flock'; use Nix::Config; +use Nix::Crypto; our @ISA = qw(Exporter); our @EXPORT = qw(readManifest writeManifest updateManifestDB addPatch deleteOldManifests parseNARInfo); @@ -394,9 +395,10 @@ sub deleteOldManifests { # Parse a NAR info file. sub parseNARInfo { - my ($storePath, $content) = @_; + my ($storePath, $content, $requireValidSig, $location) = @_; - my ($storePath2, $url, $fileHash, $fileSize, $narHash, $narSize, $deriver, $system); + my ($storePath2, $url, $fileHash, $fileSize, $narHash, $narSize, $deriver, $system, $sig); + my $signedData = ""; my $compression = "bzip2"; my @refs; @@ -412,11 +414,13 @@ sub parseNARInfo { elsif ($1 eq "References") { @refs = split / /, $2; } elsif ($1 eq "Deriver") { $deriver = $2; } elsif ($1 eq "System") { $system = $2; } + elsif ($1 eq "Signature") { $sig = $2; last; } + $signedData .= "$line\n"; } return undef if $storePath ne $storePath2 || !defined $url || !defined $narHash; - return + my $res = { url => $url , compression => $compression , fileHash => $fileHash @@ -427,6 +431,36 @@ sub parseNARInfo { , deriver => $deriver , system => $system }; + + if ($requireValidSig) { + if (!defined $sig) { + warn "NAR info file `$location' lacks a signature; ignoring\n"; + return undef; + } + my ($sigVersion, $keyName, $sig64) = split ";", $sig; + $sigVersion //= 0; + if ($sigVersion != 1) { + warn "NAR info file `$location' has unsupported version $sigVersion; ignoring\n"; + return undef; + } + return undef unless defined $keyName && defined $sig64; + my $publicKeyFile = $Nix::Config::config{"binary-cache-public-key-$keyName"}; + if (!defined $publicKeyFile) { + warn "NAR info file `$location' is signed by unknown key `$keyName'; ignoring\n"; + return undef; + } + if (! -f $publicKeyFile) { + die "binary cache public key file `$publicKeyFile' does not exist\n"; + return undef; + } + if (!isValidSignature($publicKeyFile, $sig64, $signedData)) { + warn "NAR info file `$location' has an invalid signature; ignoring\n"; + return undef; + } + $res->{signedBy} = $keyName; + } + + return $res; } -- cgit v1.2.3