From 6dd8ffc57420ee2f6f19e79e41028e78fe9e6a7e Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Tue, 8 Sep 2020 15:00:29 +0200 Subject: daemon: Simplify interface with 'guix authenticate'. There's no reason at this point to mimic the calling convention of the 'openssl' command. * nix/libstore/local-store.cc (LocalStore::exportPath): Add only "sign" and HASH to ARGS. Remove 'tmpDir' and 'hashFile'. (LocalStore::importPath): Add only "verify" and SIGNATURE to * guix/scripts/authenticate.scm (guix-authenticate): Adjust accordingly; remove the OpenSSL-style clauses. (read-hash-data): Remove. (sign-with-key): Replace 'port' with 'sha256' and adjust accordingly. (validate-signature): Export SIGNATURE to be a canonical sexp. * tests/guix-authenticate.sh: Adjust tests accordingly. --- nix/libstore/local-store.cc | 19 +++---------------- 1 file changed, 3 insertions(+), 16 deletions(-) (limited to 'nix') diff --git a/nix/libstore/local-store.cc b/nix/libstore/local-store.cc index 7a520925e5..e6badd3721 100644 --- a/nix/libstore/local-store.cc +++ b/nix/libstore/local-store.cc @@ -1277,21 +1277,13 @@ void LocalStore::exportPath(const Path & path, bool sign, writeInt(1, hashAndWriteSink); - Path tmpDir = createTempDir(); - AutoDelete delTmp(tmpDir); - Path hashFile = tmpDir + "/hash"; - writeFile(hashFile, printHash(hash)); - Path secretKey = settings.nixConfDir + "/signing-key.sec"; checkSecrecy(secretKey); Strings args; - args.push_back("rsautl"); - args.push_back("-sign"); - args.push_back("-inkey"); + args.push_back("sign"); args.push_back(secretKey); - args.push_back("-in"); - args.push_back(hashFile); + args.push_back(printHash(hash)); string signature = runAuthenticationProgram(args); @@ -1376,12 +1368,7 @@ Path LocalStore::importPath(bool requireSignature, Source & source) writeFile(sigFile, signature); Strings args; - args.push_back("rsautl"); - args.push_back("-verify"); - args.push_back("-inkey"); - args.push_back(settings.nixConfDir + "/signing-key.pub"); - args.push_back("-pubin"); - args.push_back("-in"); + args.push_back("verify"); args.push_back(sigFile); string hash2 = runAuthenticationProgram(args); -- cgit v1.2.3