summaryrefslogtreecommitdiff
path: root/nix/libstore
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2020-09-10 16:46:52 +0200
committerLudovic Courtès <ludo@gnu.org>2020-09-14 15:42:55 +0200
commit27cc51c269fbe9d2ca65711d281c63ae441a9b4a (patch)
tree16b97c8c44636aa9518ad238dbed9aef828e8e64 /nix/libstore
parent7809071c822589dfc3c65c539760e92936c41073 (diff)
daemon: Isolate signing and signature verification functions.
* nix/libstore/local-store.cc (signHash, verifySignature): New functions. (LocalStore::exportPath): Use 'signHash' instead of inline code. (LocalStore::importPath): Use 'verifySignature' instead of inline code.
Diffstat (limited to 'nix/libstore')
-rw-r--r--nix/libstore/local-store.cc43
1 files changed, 30 insertions, 13 deletions
diff --git a/nix/libstore/local-store.cc b/nix/libstore/local-store.cc
index e6badd3721..cbbd8e901d 100644
--- a/nix/libstore/local-store.cc
+++ b/nix/libstore/local-store.cc
@@ -1238,6 +1238,34 @@ static std::string runAuthenticationProgram(const Strings & args)
return runProgram(settings.guixProgram, false, fullArgs);
}
+/* Sign HASH with the key stored in file SECRETKEY. Return the signature as a
+ string, or raise an exception upon error. */
+static std::string signHash(const string &secretKey, const Hash &hash)
+{
+ Strings args;
+ args.push_back("sign");
+ args.push_back(secretKey);
+ args.push_back(printHash(hash));
+
+ return runAuthenticationProgram(args);
+}
+
+/* Verify SIGNATURE and return the base16-encoded hash over which it was
+ computed. */
+static std::string verifySignature(const string &signature)
+{
+ Path tmpDir = createTempDir("", "guix", true, true, 0700);
+ AutoDelete delTmp(tmpDir);
+
+ Path sigFile = tmpDir + "/sig";
+ writeFile(sigFile, signature);
+
+ Strings args;
+ args.push_back("verify");
+ args.push_back(sigFile);
+ return runAuthenticationProgram(args);
+}
+
void LocalStore::exportPath(const Path & path, bool sign,
Sink & sink)
{
@@ -1280,12 +1308,7 @@ void LocalStore::exportPath(const Path & path, bool sign,
Path secretKey = settings.nixConfDir + "/signing-key.sec";
checkSecrecy(secretKey);
- Strings args;
- args.push_back("sign");
- args.push_back(secretKey);
- args.push_back(printHash(hash));
-
- string signature = runAuthenticationProgram(args);
+ string signature = signHash(secretKey, hash);
writeString(signature, hashAndWriteSink);
@@ -1364,13 +1387,7 @@ Path LocalStore::importPath(bool requireSignature, Source & source)
string signature = readString(hashAndReadSource);
if (requireSignature) {
- Path sigFile = tmpDir + "/sig";
- writeFile(sigFile, signature);
-
- Strings args;
- args.push_back("verify");
- args.push_back(sigFile);
- string hash2 = runAuthenticationProgram(args);
+ string hash2 = verifySignature(signature);
/* Note: runProgram() throws an exception if the signature
is invalid. */