[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
02/07: daemon: Isolate signing and signature verification functions.
From: |
guix-commits |
Subject: |
02/07: daemon: Isolate signing and signature verification functions. |
Date: |
Mon, 14 Sep 2020 09:43:27 -0400 (EDT) |
civodul pushed a commit to branch master
in repository guix.
commit 27cc51c269fbe9d2ca65711d281c63ae441a9b4a
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Thu Sep 10 16:46:52 2020 +0200
daemon: Isolate signing and signature verification functions.
* nix/libstore/local-store.cc (signHash, verifySignature): New
functions.
(LocalStore::exportPath): Use 'signHash' instead of inline code.
(LocalStore::importPath): Use 'verifySignature' instead of inline code.
---
nix/libstore/local-store.cc | 43 ++++++++++++++++++++++++++++++-------------
1 file changed, 30 insertions(+), 13 deletions(-)
diff --git a/nix/libstore/local-store.cc b/nix/libstore/local-store.cc
index e6badd3..cbbd8e9 100644
--- a/nix/libstore/local-store.cc
+++ b/nix/libstore/local-store.cc
@@ -1238,6 +1238,34 @@ static std::string runAuthenticationProgram(const
Strings & args)
return runProgram(settings.guixProgram, false, fullArgs);
}
+/* Sign HASH with the key stored in file SECRETKEY. Return the signature as a
+ string, or raise an exception upon error. */
+static std::string signHash(const string &secretKey, const Hash &hash)
+{
+ Strings args;
+ args.push_back("sign");
+ args.push_back(secretKey);
+ args.push_back(printHash(hash));
+
+ return runAuthenticationProgram(args);
+}
+
+/* Verify SIGNATURE and return the base16-encoded hash over which it was
+ computed. */
+static std::string verifySignature(const string &signature)
+{
+ Path tmpDir = createTempDir("", "guix", true, true, 0700);
+ AutoDelete delTmp(tmpDir);
+
+ Path sigFile = tmpDir + "/sig";
+ writeFile(sigFile, signature);
+
+ Strings args;
+ args.push_back("verify");
+ args.push_back(sigFile);
+ return runAuthenticationProgram(args);
+}
+
void LocalStore::exportPath(const Path & path, bool sign,
Sink & sink)
{
@@ -1280,12 +1308,7 @@ void LocalStore::exportPath(const Path & path, bool sign,
Path secretKey = settings.nixConfDir + "/signing-key.sec";
checkSecrecy(secretKey);
- Strings args;
- args.push_back("sign");
- args.push_back(secretKey);
- args.push_back(printHash(hash));
-
- string signature = runAuthenticationProgram(args);
+ string signature = signHash(secretKey, hash);
writeString(signature, hashAndWriteSink);
@@ -1364,13 +1387,7 @@ Path LocalStore::importPath(bool requireSignature,
Source & source)
string signature = readString(hashAndReadSource);
if (requireSignature) {
- Path sigFile = tmpDir + "/sig";
- writeFile(sigFile, signature);
-
- Strings args;
- args.push_back("verify");
- args.push_back(sigFile);
- string hash2 = runAuthenticationProgram(args);
+ string hash2 = verifySignature(signature);
/* Note: runProgram() throws an exception if the signature
is invalid. */
- branch master updated (735808b -> 846403e), guix-commits, 2020/09/14
- 03/07: daemon: Move 'Agent' to libutil., guix-commits, 2020/09/14
- 01/07: daemon: Generalize 'HookInstance' to 'Agent'., guix-commits, 2020/09/14
- 02/07: daemon: Isolate signing and signature verification functions.,
guix-commits <=
- 04/07: daemon: Spawn 'guix authenticate' once for all., guix-commits, 2020/09/14
- 05/07: authenticate: Cache the ACL and key pairs., guix-commits, 2020/09/14
- 06/07: tests: Remove one 'delete-paths' call in 'tests/store.scm'., guix-commits, 2020/09/14
- 07/07: ui: 'show-what-to-build' displays download estimate more prominently., guix-commits, 2020/09/14