ryan77627/guix
1
0
Fork 0
mirror of https://git.in.rschanz.org/ryan77627/guix.git synced 2024-11-07 07:26:13 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

daemon: Isolate signing and signature verification functions.

Browse source 
* nix/libstore/local-store.cc (signHash, verifySignature): New
functions.
(LocalStore::exportPath): Use 'signHash' instead of inline code.
(LocalStore::importPath): Use 'verifySignature' instead of inline code.
This commit is contained in:
Ludovic Courtès 2020-09-10 16:46:52 +02:00
parent 7809071c82
commit 27cc51c269
No known key found for this signature in database
GPG key ID: 090B11993D9AEBB5
1 changed files with 30 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

43
nix/libstore/local-store.cc
View file

@ -1238,6 +1238,34 @@ static std::string runAuthenticationProgram(const Strings & args)
return runProgram(settings.guixProgram, false, fullArgs); return runProgram(settings.guixProgram, false, fullArgs);
} }
/* Sign HASH with the key stored in file SECRETKEY. Return the signature as a
string, or raise an exception upon error. */
static std::string signHash(const string &secretKey, const Hash &hash)
{
Strings args;
args.push_back("sign");
args.push_back(secretKey);
args.push_back(printHash(hash));
return runAuthenticationProgram(args);
}
/* Verify SIGNATURE and return the base16-encoded hash over which it was
computed. */
static std::string verifySignature(const string &signature)
{
Path tmpDir = createTempDir("", "guix", true, true, 0700);
AutoDelete delTmp(tmpDir);
Path sigFile = tmpDir + "/sig";
writeFile(sigFile, signature);
Strings args;
args.push_back("verify");
args.push_back(sigFile);
return runAuthenticationProgram(args);
}
void LocalStore::exportPath(const Path & path, bool sign, void LocalStore::exportPath(const Path & path, bool sign,
Sink & sink) Sink & sink)
{ {
@ -1280,12 +1308,7 @@ void LocalStore::exportPath(const Path & path, bool sign,
Path secretKey = settings.nixConfDir + "/signing-key.sec"; Path secretKey = settings.nixConfDir + "/signing-key.sec";
checkSecrecy(secretKey); checkSecrecy(secretKey);
Strings args; string signature = signHash(secretKey, hash);
args.push_back("sign");
args.push_back(secretKey);
args.push_back(printHash(hash));
string signature = runAuthenticationProgram(args);
writeString(signature, hashAndWriteSink); writeString(signature, hashAndWriteSink);
@ -1364,13 +1387,7 @@ Path LocalStore::importPath(bool requireSignature, Source & source)
string signature = readString(hashAndReadSource); string signature = readString(hashAndReadSource);
if (requireSignature) { if (requireSignature) {
Path sigFile = tmpDir + "/sig"; string hash2 = verifySignature(signature);
writeFile(sigFile, signature);
Strings args;
args.push_back("verify");
args.push_back(sigFile);
string hash2 = runAuthenticationProgram(args);
/* Note: runProgram() throws an exception if the signature /* Note: runProgram() throws an exception if the signature
is invalid. */ is invalid. */