guix-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

02/07: daemon: Isolate signing and signature verification functions.


From: guix-commits
Subject: 02/07: daemon: Isolate signing and signature verification functions.
Date: Mon, 14 Sep 2020 09:43:27 -0400 (EDT)

civodul pushed a commit to branch master
in repository guix.

commit 27cc51c269fbe9d2ca65711d281c63ae441a9b4a
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Thu Sep 10 16:46:52 2020 +0200

    daemon: Isolate signing and signature verification functions.
    
    * nix/libstore/local-store.cc (signHash, verifySignature): New
    functions.
    (LocalStore::exportPath): Use 'signHash' instead of inline code.
    (LocalStore::importPath): Use 'verifySignature' instead of inline code.
---
 nix/libstore/local-store.cc | 43 ++++++++++++++++++++++++++++++-------------
 1 file changed, 30 insertions(+), 13 deletions(-)

diff --git a/nix/libstore/local-store.cc b/nix/libstore/local-store.cc
index e6badd3..cbbd8e9 100644
--- a/nix/libstore/local-store.cc
+++ b/nix/libstore/local-store.cc
@@ -1238,6 +1238,34 @@ static std::string runAuthenticationProgram(const 
Strings & args)
     return runProgram(settings.guixProgram, false, fullArgs);
 }
 
+/* Sign HASH with the key stored in file SECRETKEY.  Return the signature as a
+   string, or raise an exception upon error.  */
+static std::string signHash(const string &secretKey, const Hash &hash)
+{
+    Strings args;
+    args.push_back("sign");
+    args.push_back(secretKey);
+    args.push_back(printHash(hash));
+
+    return runAuthenticationProgram(args);
+}
+
+/* Verify SIGNATURE and return the base16-encoded hash over which it was
+   computed.  */
+static std::string verifySignature(const string &signature)
+{
+    Path tmpDir = createTempDir("", "guix", true, true, 0700);
+    AutoDelete delTmp(tmpDir);
+
+    Path sigFile = tmpDir + "/sig";
+    writeFile(sigFile, signature);
+
+    Strings args;
+    args.push_back("verify");
+    args.push_back(sigFile);
+    return runAuthenticationProgram(args);
+}
+
 void LocalStore::exportPath(const Path & path, bool sign,
     Sink & sink)
 {
@@ -1280,12 +1308,7 @@ void LocalStore::exportPath(const Path & path, bool sign,
         Path secretKey = settings.nixConfDir + "/signing-key.sec";
         checkSecrecy(secretKey);
 
-        Strings args;
-        args.push_back("sign");
-        args.push_back(secretKey);
-        args.push_back(printHash(hash));
-
-        string signature = runAuthenticationProgram(args);
+       string signature = signHash(secretKey, hash);
 
         writeString(signature, hashAndWriteSink);
 
@@ -1364,13 +1387,7 @@ Path LocalStore::importPath(bool requireSignature, 
Source & source)
         string signature = readString(hashAndReadSource);
 
         if (requireSignature) {
-            Path sigFile = tmpDir + "/sig";
-            writeFile(sigFile, signature);
-
-            Strings args;
-            args.push_back("verify");
-            args.push_back(sigFile);
-            string hash2 = runAuthenticationProgram(args);
+           string hash2 = verifySignature(signature);
 
             /* Note: runProgram() throws an exception if the signature
                is invalid. */



reply via email to

[Prev in Thread] Current Thread [Next in Thread]