verify: add chatty output to explain why a path is trusted or not

2024-11-25 00:02:25 +00:00 · 2024-04-06 09:07:07 +00:00 · 2024-04-06 09:07:07 +00:00 · 5cad3c4f69
commit 5cad3c4f69
parent 5a365b0c89
1 changed files with 33 additions and 5 deletions
--- a/src/nix/verify.cc
+++ b/src/nix/verify.cc
@ -69,6 +69,13 @@ struct CmdVerify : StorePathsCommand

        auto publicKeys = getDefaultPublicKeys();

+        if (publicKeys.empty()) {
+            printMsg(lvlChatty, "not using any public keys.");
+        } else {
+            for (auto & pk : publicKeys)
+                printMsg(lvlChatty, "using public key: %s:%s", pk.first, base64Encode(pk.second.key));
+        }
+
        Activity act(*logger, actVerifyPaths);

        std::atomic<size_t> done{0};
@ -119,10 +126,11 @@ struct CmdVerify : StorePathsCommand

                    bool good = false;

-                    if (info->ultimate && !sigsNeeded)
+                    if (info->ultimate && !sigsNeeded) {
+                        printMsg(lvlChatty, "path is ultimately trusted");
                        good = true;

-                    else {
+                    } else {

                        StringSet sigsSeen;
                        size_t actualSigsNeeded = std::max(sigsNeeded, (size_t) 1);
@ -131,12 +139,24 @@ struct CmdVerify : StorePathsCommand
                        auto doSigs = [&](StringSet sigs) {
                            for (auto sig : sigs) {
                                if (!sigsSeen.insert(sig).second) continue;
-                                if (validSigs < ValidPathInfo::maxSigs && info->checkSignature(*store, publicKeys, sig))
+
+                                if (verbosity >= lvlChatty) {
+                                    auto ss = BorrowedCryptoValue::parse(sig);
+                                    printMsg(lvlChatty, "path is signed with key: %s", ss.name);
+                                }
+
+                                if (validSigs < ValidPathInfo::maxSigs && info->checkSignature(*store, publicKeys, sig)) {
                                    validSigs++;
+                                    if (validSigs == actualSigsNeeded)
+                                        printMsg(lvlChatty, "path has sufficient signatures");
+                                }
                            }
                        };

-                        if (info->isContentAddressed(*store)) validSigs = ValidPathInfo::maxSigs;
+                        if (info->isContentAddressed(*store)) {
+                            printMsg(lvlChatty, "path is content-addressed");
+                            validSigs = ValidPathInfo::maxSigs;
+                        }

                        doSigs(info->sigs);

@ -144,7 +164,10 @@ struct CmdVerify : StorePathsCommand
                            if (validSigs >= actualSigsNeeded) break;
                            try {
                                auto info2 = store2->queryPathInfo(info->path);
-                                if (info2->isContentAddressed(*store)) validSigs = ValidPathInfo::maxSigs;
+                                if (info2->isContentAddressed(*store)) {
+                                    printMsg(lvlChatty, "path is content-addressed");
+                                    validSigs = ValidPathInfo::maxSigs;
+                                }
                                doSigs(info2->sigs);
                            } catch (InvalidPath &) {
                            } catch (Error & e) {
@ -152,6 +175,11 @@ struct CmdVerify : StorePathsCommand
                            }
                        }

+                        if (sigsSeen.size() == 0)
+                            printMsg(lvlChatty, "path does not have any signatures");
+                        if (validSigs == 0)
+                            printMsg(lvlChatty, "path does not have any valid signatures");
+
                        if (validSigs >= actualSigsNeeded)
                            good = true;
                    }