mirror of
https://github.com/NixOS/nix.git
synced 2024-11-29 02:02:27 +00:00
Add some logic for signing realisations
Not exposed anywhere, but built realisations are now signed (and this should be forwarded when copy-ing them around)
This commit is contained in:
parent
306c154632
commit
826877cabf
@ -2615,10 +2615,14 @@ void LocalDerivationGoal::registerOutputs()
|
||||
but it's fine to do in all cases. */
|
||||
|
||||
if (settings.isExperimentalFeatureEnabled("ca-derivations")) {
|
||||
for (auto& [outputName, newInfo] : infos)
|
||||
worker.store.registerDrvOutput(Realisation{
|
||||
.id = DrvOutput{initialOutputs.at(outputName).outputHash, outputName},
|
||||
.outPath = newInfo.path});
|
||||
for (auto& [outputName, newInfo] : infos) {
|
||||
auto thisRealisation = Realisation{
|
||||
.id = DrvOutput{initialOutputs.at(outputName).outputHash,
|
||||
outputName},
|
||||
.outPath = newInfo.path};
|
||||
getLocalStore().signRealisation(thisRealisation);
|
||||
worker.store.registerDrvOutput(thisRealisation);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -6,6 +6,7 @@ create table if not exists Realisations (
|
||||
drvPath text not null,
|
||||
outputName text not null, -- symbolic output id, usually "out"
|
||||
outputPath integer not null,
|
||||
signatures text, -- space-separated list
|
||||
primary key (drvPath, outputName),
|
||||
foreign key (outputPath) references ValidPaths(id) on delete cascade
|
||||
);
|
||||
|
@ -310,13 +310,13 @@ LocalStore::LocalStore(const Params & params)
|
||||
if (settings.isExperimentalFeatureEnabled("ca-derivations")) {
|
||||
state->stmts->RegisterRealisedOutput.create(state->db,
|
||||
R"(
|
||||
insert or replace into Realisations (drvPath, outputName, outputPath)
|
||||
values (?, ?, (select id from ValidPaths where path = ?))
|
||||
insert or replace into Realisations (drvPath, outputName, outputPath, signatures)
|
||||
values (?, ?, (select id from ValidPaths where path = ?), ?)
|
||||
;
|
||||
)");
|
||||
state->stmts->QueryRealisedOutput.create(state->db,
|
||||
R"(
|
||||
select Output.path from Realisations
|
||||
select Output.path, Realisations.signatures from Realisations
|
||||
inner join ValidPaths as Output on Output.id = Realisations.outputPath
|
||||
where drvPath = ? and outputName = ?
|
||||
;
|
||||
@ -662,6 +662,7 @@ void LocalStore::registerDrvOutput(const Realisation & info)
|
||||
(info.id.strHash())
|
||||
(info.id.outputName)
|
||||
(printStorePath(info.outPath))
|
||||
(concatStringsSep(" ", info.signatures))
|
||||
.exec();
|
||||
});
|
||||
}
|
||||
@ -1107,6 +1108,11 @@ bool LocalStore::pathInfoIsTrusted(const ValidPathInfo & info)
|
||||
return requireSigs && !info.checkSignatures(*this, getPublicKeys());
|
||||
}
|
||||
|
||||
bool LocalStore::realisationIsUntrusted(const Realisation & realisation)
|
||||
{
|
||||
return requireSigs && !realisation.checkSignatures(getPublicKeys());
|
||||
}
|
||||
|
||||
void LocalStore::addToStore(const ValidPathInfo & info, Source & source,
|
||||
RepairFlag repair, CheckSigsFlag checkSigs)
|
||||
{
|
||||
@ -1612,6 +1618,18 @@ void LocalStore::addSignatures(const StorePath & storePath, const StringSet & si
|
||||
}
|
||||
|
||||
|
||||
void LocalStore::signRealisation(Realisation & realisation)
|
||||
{
|
||||
// FIXME: keep secret keys in memory.
|
||||
|
||||
auto secretKeyFiles = settings.secretKeyFiles;
|
||||
|
||||
for (auto & secretKeyFile : secretKeyFiles.get()) {
|
||||
SecretKey secretKey(readFile(secretKeyFile));
|
||||
realisation.sign(secretKey);
|
||||
}
|
||||
}
|
||||
|
||||
void LocalStore::signPathInfo(ValidPathInfo & info)
|
||||
{
|
||||
// FIXME: keep secret keys in memory.
|
||||
@ -1649,8 +1667,9 @@ std::optional<const Realisation> LocalStore::queryRealisation(
|
||||
if (!use.next())
|
||||
return std::nullopt;
|
||||
auto outputPath = parseStorePath(use.getStr(0));
|
||||
return Ret{
|
||||
Realisation{.id = id, .outPath = outputPath}};
|
||||
auto signatures = tokenizeString<StringSet>(use.getStr(1));
|
||||
return Ret{Realisation{
|
||||
.id = id, .outPath = outputPath, .signatures = signatures}};
|
||||
});
|
||||
}
|
||||
} // namespace nix
|
||||
|
@ -137,6 +137,7 @@ public:
|
||||
SubstitutablePathInfos & infos) override;
|
||||
|
||||
bool pathInfoIsTrusted(const ValidPathInfo &) override;
|
||||
bool realisationIsUntrusted(const Realisation & ) override;
|
||||
|
||||
void addToStore(const ValidPathInfo & info, Source & source,
|
||||
RepairFlag repair, CheckSigsFlag checkSigs) override;
|
||||
@ -272,9 +273,10 @@ private:
|
||||
bool isValidPath_(State & state, const StorePath & path);
|
||||
void queryReferrers(State & state, const StorePath & path, StorePathSet & referrers);
|
||||
|
||||
/* Add signatures to a ValidPathInfo using the secret keys
|
||||
/* Add signatures to a ValidPathInfo or Realisation using the secret keys
|
||||
specified by the ‘secret-key-files’ option. */
|
||||
void signPathInfo(ValidPathInfo & info);
|
||||
void signRealisation(Realisation &);
|
||||
|
||||
Path getRealStoreDir() override { return realStoreDir; }
|
||||
|
||||
|
@ -25,27 +25,69 @@ nlohmann::json Realisation::toJSON() const {
|
||||
return nlohmann::json{
|
||||
{"id", id.to_string()},
|
||||
{"outPath", outPath.to_string()},
|
||||
{"signatures", signatures},
|
||||
};
|
||||
}
|
||||
|
||||
Realisation Realisation::fromJSON(
|
||||
const nlohmann::json& json,
|
||||
const std::string& whence) {
|
||||
auto getField = [&](std::string fieldName) -> std::string {
|
||||
auto getOptionalField = [&](std::string fieldName) -> std::optional<std::string> {
|
||||
auto fieldIterator = json.find(fieldName);
|
||||
if (fieldIterator == json.end())
|
||||
return std::nullopt;
|
||||
return *fieldIterator;
|
||||
};
|
||||
auto getField = [&](std::string fieldName) -> std::string {
|
||||
if (auto field = getOptionalField(fieldName))
|
||||
return *field;
|
||||
else
|
||||
throw Error(
|
||||
"Drv output info file '%1%' is corrupt, missing field %2%",
|
||||
whence, fieldName);
|
||||
return *fieldIterator;
|
||||
};
|
||||
|
||||
StringSet signatures;
|
||||
if (auto signaturesIterator = json.find("signatures"); signaturesIterator != json.end())
|
||||
signatures.insert(signaturesIterator->begin(), signaturesIterator->end());
|
||||
|
||||
return Realisation{
|
||||
.id = DrvOutput::parse(getField("id")),
|
||||
.outPath = StorePath(getField("outPath")),
|
||||
.signatures = signatures,
|
||||
};
|
||||
}
|
||||
|
||||
std::string Realisation::fingerprint() const
|
||||
{
|
||||
auto serialized = toJSON();
|
||||
serialized.erase("signatures");
|
||||
return serialized.dump();
|
||||
}
|
||||
|
||||
void Realisation::sign(const SecretKey & secretKey)
|
||||
{
|
||||
signatures.insert(secretKey.signDetached(fingerprint()));
|
||||
}
|
||||
|
||||
bool Realisation::checkSignature(const PublicKeys & publicKeys, const std::string & sig) const
|
||||
{
|
||||
return verifyDetached(fingerprint(), sig, publicKeys);
|
||||
}
|
||||
|
||||
size_t Realisation::checkSignatures(const PublicKeys & publicKeys) const
|
||||
{
|
||||
// FIXME: Maybe we should return `maxSigs` if the realisation corresponds to
|
||||
// an input-addressed one − because in that case the drv is enough to check
|
||||
// it − but we can't know that here.
|
||||
|
||||
size_t good = 0;
|
||||
for (auto & sig : signatures)
|
||||
if (checkSignature(publicKeys, sig))
|
||||
good++;
|
||||
return good;
|
||||
}
|
||||
|
||||
StorePath RealisedPath::path() const {
|
||||
return std::visit([](auto && arg) { return arg.getPath(); }, raw);
|
||||
}
|
||||
|
@ -3,6 +3,7 @@
|
||||
#include "path.hh"
|
||||
#include <nlohmann/json_fwd.hpp>
|
||||
#include "comparator.hh"
|
||||
#include "crypto.hh"
|
||||
|
||||
namespace nix {
|
||||
|
||||
@ -25,9 +26,16 @@ struct Realisation {
|
||||
DrvOutput id;
|
||||
StorePath outPath;
|
||||
|
||||
StringSet signatures;
|
||||
|
||||
nlohmann::json toJSON() const;
|
||||
static Realisation fromJSON(const nlohmann::json& json, const std::string& whence);
|
||||
|
||||
std::string fingerprint() const;
|
||||
void sign(const SecretKey &);
|
||||
bool checkSignature(const PublicKeys & publicKeys, const std::string & sig) const;
|
||||
size_t checkSignatures(const PublicKeys & publicKeys) const;
|
||||
|
||||
StorePath getPath() const { return outPath; }
|
||||
|
||||
GENERATE_CMP(Realisation, me->id, me->outPath);
|
||||
|
@ -389,6 +389,11 @@ public:
|
||||
return true;
|
||||
}
|
||||
|
||||
virtual bool realisationIsUntrusted(const Realisation & )
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
protected:
|
||||
|
||||
virtual void queryPathInfoUncached(const StorePath & path,
|
||||
|
Loading…
Reference in New Issue
Block a user