diff options
| author | Ludovic Courtès <ludo@gnu.org> | 2020-09-10 16:46:52 +0200 |
|---|---|---|
| committer | Ludovic Courtès <ludo@gnu.org> | 2020-09-14 15:42:55 +0200 |
| commit | 27cc51c269fbe9d2ca65711d281c63ae441a9b4a (patch) | |
| tree | 16b97c8c44636aa9518ad238dbed9aef828e8e64 /nix/libstore | |
| parent | 7809071c822589dfc3c65c539760e92936c41073 (diff) | |
daemon: Isolate signing and signature verification functions.
* nix/libstore/local-store.cc (signHash, verifySignature): New
functions.
(LocalStore::exportPath): Use 'signHash' instead of inline code.
(LocalStore::importPath): Use 'verifySignature' instead of inline code.
Diffstat (limited to 'nix/libstore')
| -rw-r--r-- | nix/libstore/local-store.cc | 43 |
1 files changed, 30 insertions, 13 deletions
diff --git a/nix/libstore/local-store.cc b/nix/libstore/local-store.cc index e6badd3721..cbbd8e901d 100644 --- a/nix/libstore/local-store.cc +++ b/nix/libstore/local-store.cc @@ -1238,6 +1238,34 @@ static std::string runAuthenticationProgram(const Strings & args) return runProgram(settings.guixProgram, false, fullArgs); } +/* Sign HASH with the key stored in file SECRETKEY. Return the signature as a + string, or raise an exception upon error. */ +static std::string signHash(const string &secretKey, const Hash &hash) +{ + Strings args; + args.push_back("sign"); + args.push_back(secretKey); + args.push_back(printHash(hash)); + + return runAuthenticationProgram(args); +} + +/* Verify SIGNATURE and return the base16-encoded hash over which it was + computed. */ +static std::string verifySignature(const string &signature) +{ + Path tmpDir = createTempDir("", "guix", true, true, 0700); + AutoDelete delTmp(tmpDir); + + Path sigFile = tmpDir + "/sig"; + writeFile(sigFile, signature); + + Strings args; + args.push_back("verify"); + args.push_back(sigFile); + return runAuthenticationProgram(args); +} + void LocalStore::exportPath(const Path & path, bool sign, Sink & sink) { @@ -1280,12 +1308,7 @@ void LocalStore::exportPath(const Path & path, bool sign, Path secretKey = settings.nixConfDir + "/signing-key.sec"; checkSecrecy(secretKey); - Strings args; - args.push_back("sign"); - args.push_back(secretKey); - args.push_back(printHash(hash)); - - string signature = runAuthenticationProgram(args); + string signature = signHash(secretKey, hash); writeString(signature, hashAndWriteSink); @@ -1364,13 +1387,7 @@ Path LocalStore::importPath(bool requireSignature, Source & source) string signature = readString(hashAndReadSource); if (requireSignature) { - Path sigFile = tmpDir + "/sig"; - writeFile(sigFile, signature); - - Strings args; - args.push_back("verify"); - args.push_back(sigFile); - string hash2 = runAuthenticationProgram(args); + string hash2 = verifySignature(signature); /* Note: runProgram() throws an exception if the signature is invalid. */ |