2011-10-10 23:11:08 +02:00
|
|
|
|
package Nix::Manifest;
|
|
|
|
|
|
|
2014-08-20 17:00:17 +02:00
|
|
|
|
use utf8;
|
2003-12-05 12:25:38 +01:00
|
|
|
|
use strict;
|
2011-04-11 01:22:46 +02:00
|
|
|
|
use DBI;
|
2013-10-24 19:10:38 +02:00
|
|
|
|
use DBD::SQLite;
|
2011-04-11 01:22:46 +02:00
|
|
|
|
use Cwd;
|
|
|
|
|
|
use File::stat;
|
2011-04-11 10:06:14 +02:00
|
|
|
|
use File::Path;
|
2011-04-11 14:40:13 +02:00
|
|
|
|
use Fcntl ':flock';
|
2015-02-04 16:43:32 +01:00
|
|
|
|
use MIME::Base64;
|
2011-10-10 23:11:08 +02:00
|
|
|
|
use Nix::Config;
|
2015-02-04 16:43:32 +01:00
|
|
|
|
use Nix::Store;
|
2011-10-10 23:11:08 +02:00
|
|
|
|
|
|
|
|
|
|
our @ISA = qw(Exporter);
|
2015-02-04 17:59:31 +01:00
|
|
|
|
our @EXPORT = qw(readManifest writeManifest updateManifestDB addPatch deleteOldManifests parseNARInfo fingerprintPath);
|
2003-12-05 12:25:38 +01:00
|
|
|
|
|
2004-12-28 22:11:28 +01:00
|
|
|
|
|
2011-04-11 15:16:54 +02:00
|
|
|
|
sub addNAR {
|
|
|
|
|
|
my ($narFiles, $storePath, $info) = @_;
|
2012-09-13 17:35:46 +02:00
|
|
|
|
|
2011-04-11 15:16:54 +02:00
|
|
|
|
$$narFiles{$storePath} = []
|
|
|
|
|
|
unless defined $$narFiles{$storePath};
|
|
|
|
|
|
|
|
|
|
|
|
my $narFileList = $$narFiles{$storePath};
|
|
|
|
|
|
|
|
|
|
|
|
my $found = 0;
|
|
|
|
|
|
foreach my $narFile (@{$narFileList}) {
|
|
|
|
|
|
$found = 1 if $narFile->{url} eq $info->{url};
|
|
|
|
|
|
}
|
2012-09-13 17:35:46 +02:00
|
|
|
|
|
2011-04-11 15:16:54 +02:00
|
|
|
|
push @{$narFileList}, $info if !$found;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
2004-12-29 19:58:15 +01:00
|
|
|
|
sub addPatch {
|
2009-04-16 11:27:33 +02:00
|
|
|
|
my ($patches, $storePath, $patch) = @_;
|
2004-12-29 19:58:15 +01:00
|
|
|
|
|
|
|
|
|
|
$$patches{$storePath} = []
|
|
|
|
|
|
unless defined $$patches{$storePath};
|
|
|
|
|
|
|
|
|
|
|
|
my $patchList = $$patches{$storePath};
|
|
|
|
|
|
|
|
|
|
|
|
my $found = 0;
|
|
|
|
|
|
foreach my $patch2 (@{$patchList}) {
|
2009-03-19 10:47:34 +01:00
|
|
|
|
$found = 1 if
|
|
|
|
|
|
$patch2->{url} eq $patch->{url} &&
|
|
|
|
|
|
$patch2->{basePath} eq $patch->{basePath};
|
2004-12-29 19:58:15 +01:00
|
|
|
|
}
|
2012-09-13 17:35:46 +02:00
|
|
|
|
|
2004-12-29 23:17:26 +01:00
|
|
|
|
push @{$patchList}, $patch if !$found;
|
|
|
|
|
|
|
|
|
|
|
|
return !$found;
|
2004-12-29 19:58:15 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
2011-04-11 15:16:54 +02:00
|
|
|
|
sub readManifest_ {
|
|
|
|
|
|
my ($manifest, $addNAR, $addPatch) = @_;
|
2003-12-05 12:25:38 +01:00
|
|
|
|
|
2011-11-16 17:25:38 +01:00
|
|
|
|
# Decompress the manifest if necessary.
|
|
|
|
|
|
if ($manifest =~ /\.bz2$/) {
|
|
|
|
|
|
open MANIFEST, "$Nix::Config::bzip2 -d < $manifest |"
|
2014-08-20 17:00:17 +02:00
|
|
|
|
or die "cannot decompress ‘$manifest’: $!";
|
2011-11-16 17:25:38 +01:00
|
|
|
|
} else {
|
|
|
|
|
|
open MANIFEST, "<$manifest"
|
2014-08-20 17:00:17 +02:00
|
|
|
|
or die "cannot open ‘$manifest’: $!";
|
2011-11-16 17:25:38 +01:00
|
|
|
|
}
|
2003-12-05 12:25:38 +01:00
|
|
|
|
|
|
|
|
|
|
my $inside = 0;
|
2004-12-13 14:47:38 +01:00
|
|
|
|
my $type;
|
2003-12-05 12:25:38 +01:00
|
|
|
|
|
2005-02-25 17:12:52 +01:00
|
|
|
|
my $manifestVersion = 2;
|
|
|
|
|
|
|
2010-11-17 15:31:42 +01:00
|
|
|
|
my ($storePath, $url, $hash, $size, $basePath, $baseHash, $patchType);
|
2012-09-19 23:33:42 +02:00
|
|
|
|
my ($narHash, $narSize, $references, $deriver, $copyFrom, $system, $compressionType);
|
2003-12-05 12:25:38 +01:00
|
|
|
|
|
|
|
|
|
|
while (<MANIFEST>) {
|
|
|
|
|
|
chomp;
|
|
|
|
|
|
s/\#.*$//g;
|
|
|
|
|
|
next if (/^$/);
|
|
|
|
|
|
|
|
|
|
|
|
if (!$inside) {
|
2004-12-28 22:11:28 +01:00
|
|
|
|
|
|
|
|
|
|
if (/^\s*(\w*)\s*\{$/) {
|
|
|
|
|
|
$type = $1;
|
|
|
|
|
|
$type = "narfile" if $type eq "";
|
2003-12-05 12:25:38 +01:00
|
|
|
|
$inside = 1;
|
2004-06-21 11:51:23 +02:00
|
|
|
|
undef $storePath;
|
2004-12-13 14:47:38 +01:00
|
|
|
|
undef $url;
|
2003-12-05 12:25:38 +01:00
|
|
|
|
undef $hash;
|
2004-12-28 22:11:28 +01:00
|
|
|
|
undef $size;
|
2004-12-20 17:38:50 +01:00
|
|
|
|
undef $narHash;
|
2010-11-17 15:31:42 +01:00
|
|
|
|
undef $narSize;
|
2004-12-13 14:47:38 +01:00
|
|
|
|
undef $basePath;
|
|
|
|
|
|
undef $baseHash;
|
|
|
|
|
|
undef $patchType;
|
2010-11-29 10:26:05 +01:00
|
|
|
|
undef $system;
|
2005-01-25 18:08:52 +01:00
|
|
|
|
$references = "";
|
2005-02-09 13:57:13 +01:00
|
|
|
|
$deriver = "";
|
2012-09-19 23:33:42 +02:00
|
|
|
|
$compressionType = "bzip2";
|
2012-09-13 17:35:46 +02:00
|
|
|
|
}
|
2004-12-28 22:11:28 +01:00
|
|
|
|
|
2003-12-05 12:25:38 +01:00
|
|
|
|
} else {
|
2012-09-13 17:35:46 +02:00
|
|
|
|
|
2003-12-05 12:25:38 +01:00
|
|
|
|
if (/^\}$/) {
|
|
|
|
|
|
$inside = 0;
|
|
|
|
|
|
|
2004-12-13 14:47:38 +01:00
|
|
|
|
if ($type eq "narfile") {
|
2011-04-11 15:16:54 +02:00
|
|
|
|
&$addNAR($storePath,
|
|
|
|
|
|
{ url => $url, hash => $hash, size => $size
|
|
|
|
|
|
, narHash => $narHash, narSize => $narSize
|
|
|
|
|
|
, references => $references
|
|
|
|
|
|
, deriver => $deriver
|
|
|
|
|
|
, system => $system
|
2012-09-19 23:33:42 +02:00
|
|
|
|
, compressionType => $compressionType
|
2011-04-11 15:16:54 +02:00
|
|
|
|
});
|
2004-12-13 14:47:38 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
elsif ($type eq "patch") {
|
2011-04-11 15:16:54 +02:00
|
|
|
|
&$addPatch($storePath,
|
2004-12-29 19:58:15 +01:00
|
|
|
|
{ url => $url, hash => $hash, size => $size
|
|
|
|
|
|
, basePath => $basePath, baseHash => $baseHash
|
2010-11-17 15:31:42 +01:00
|
|
|
|
, narHash => $narHash, narSize => $narSize
|
2011-04-11 01:22:46 +02:00
|
|
|
|
, patchType => $patchType
|
2011-04-11 15:16:54 +02:00
|
|
|
|
});
|
2003-12-05 12:25:38 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
}
|
2012-09-13 17:35:46 +02:00
|
|
|
|
|
2004-12-13 14:47:38 +01:00
|
|
|
|
elsif (/^\s*StorePath:\s*(\/\S+)\s*$/) { $storePath = $1; }
|
2007-01-23 17:50:19 +01:00
|
|
|
|
elsif (/^\s*CopyFrom:\s*(\/\S+)\s*$/) { $copyFrom = $1; }
|
2004-12-13 14:47:38 +01:00
|
|
|
|
elsif (/^\s*Hash:\s*(\S+)\s*$/) { $hash = $1; }
|
|
|
|
|
|
elsif (/^\s*URL:\s*(\S+)\s*$/) { $url = $1; }
|
2012-09-19 23:33:42 +02:00
|
|
|
|
elsif (/^\s*Compression:\s*(\S+)\s*$/) { $compressionType = $1; }
|
2004-12-13 14:47:38 +01:00
|
|
|
|
elsif (/^\s*Size:\s*(\d+)\s*$/) { $size = $1; }
|
|
|
|
|
|
elsif (/^\s*BasePath:\s*(\/\S+)\s*$/) { $basePath = $1; }
|
|
|
|
|
|
elsif (/^\s*BaseHash:\s*(\S+)\s*$/) { $baseHash = $1; }
|
|
|
|
|
|
elsif (/^\s*Type:\s*(\S+)\s*$/) { $patchType = $1; }
|
2004-12-20 17:38:50 +01:00
|
|
|
|
elsif (/^\s*NarHash:\s*(\S+)\s*$/) { $narHash = $1; }
|
2010-11-17 15:31:42 +01:00
|
|
|
|
elsif (/^\s*NarSize:\s*(\d+)\s*$/) { $narSize = $1; }
|
2005-01-25 18:08:52 +01:00
|
|
|
|
elsif (/^\s*References:\s*(.*)\s*$/) { $references = $1; }
|
2005-02-09 13:57:13 +01:00
|
|
|
|
elsif (/^\s*Deriver:\s*(\S+)\s*$/) { $deriver = $1; }
|
2005-02-25 17:12:52 +01:00
|
|
|
|
elsif (/^\s*ManifestVersion:\s*(\d+)\s*$/) { $manifestVersion = $1; }
|
2010-11-29 10:26:05 +01:00
|
|
|
|
elsif (/^\s*System:\s*(\S+)\s*$/) { $system = $1; }
|
2004-12-13 14:47:38 +01:00
|
|
|
|
|
|
|
|
|
|
# Compatibility;
|
|
|
|
|
|
elsif (/^\s*NarURL:\s*(\S+)\s*$/) { $url = $1; }
|
2005-03-14 16:09:53 +01:00
|
|
|
|
elsif (/^\s*MD5:\s*(\S+)\s*$/) { $hash = "md5:$1"; }
|
2004-12-20 17:38:50 +01:00
|
|
|
|
|
2003-12-05 12:25:38 +01:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
close MANIFEST;
|
2005-02-25 17:12:52 +01:00
|
|
|
|
|
|
|
|
|
|
return $manifestVersion;
|
2003-12-05 12:25:38 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
2011-04-11 15:16:54 +02:00
|
|
|
|
sub readManifest {
|
|
|
|
|
|
my ($manifest, $narFiles, $patches) = @_;
|
|
|
|
|
|
readManifest_($manifest,
|
|
|
|
|
|
sub { addNAR($narFiles, @_); },
|
|
|
|
|
|
sub { addPatch($patches, @_); } );
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
2009-04-16 11:27:33 +02:00
|
|
|
|
sub writeManifest {
|
2010-11-29 16:26:28 +01:00
|
|
|
|
my ($manifest, $narFiles, $patches, $noCompress) = @_;
|
2004-12-28 22:11:28 +01:00
|
|
|
|
|
2004-12-29 20:04:21 +01:00
|
|
|
|
open MANIFEST, ">$manifest.tmp"; # !!! check exclusive
|
2004-12-28 22:11:28 +01:00
|
|
|
|
|
2005-02-25 17:12:52 +01:00
|
|
|
|
print MANIFEST "version {\n";
|
|
|
|
|
|
print MANIFEST " ManifestVersion: 3\n";
|
|
|
|
|
|
print MANIFEST "}\n";
|
|
|
|
|
|
|
2006-02-24 17:02:36 +01:00
|
|
|
|
foreach my $storePath (sort (keys %{$narFiles})) {
|
2004-12-28 22:11:28 +01:00
|
|
|
|
my $narFileList = $$narFiles{$storePath};
|
|
|
|
|
|
foreach my $narFile (@{$narFileList}) {
|
|
|
|
|
|
print MANIFEST "{\n";
|
|
|
|
|
|
print MANIFEST " StorePath: $storePath\n";
|
|
|
|
|
|
print MANIFEST " NarURL: $narFile->{url}\n";
|
2012-09-19 23:33:42 +02:00
|
|
|
|
print MANIFEST " Compression: $narFile->{compressionType}\n";
|
2009-04-16 11:27:33 +02:00
|
|
|
|
print MANIFEST " Hash: $narFile->{hash}\n" if defined $narFile->{hash};
|
|
|
|
|
|
print MANIFEST " Size: $narFile->{size}\n" if defined $narFile->{size};
|
2010-11-17 13:57:52 +01:00
|
|
|
|
print MANIFEST " NarHash: $narFile->{narHash}\n";
|
|
|
|
|
|
print MANIFEST " NarSize: $narFile->{narSize}\n" if $narFile->{narSize};
|
2005-01-25 18:08:52 +01:00
|
|
|
|
print MANIFEST " References: $narFile->{references}\n"
|
|
|
|
|
|
if defined $narFile->{references} && $narFile->{references} ne "";
|
2005-02-09 13:57:13 +01:00
|
|
|
|
print MANIFEST " Deriver: $narFile->{deriver}\n"
|
|
|
|
|
|
if defined $narFile->{deriver} && $narFile->{deriver} ne "";
|
2010-11-29 10:26:05 +01:00
|
|
|
|
print MANIFEST " System: $narFile->{system}\n" if defined $narFile->{system};
|
2004-12-28 22:11:28 +01:00
|
|
|
|
print MANIFEST "}\n";
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2012-09-13 17:35:46 +02:00
|
|
|
|
|
2006-02-24 17:02:36 +01:00
|
|
|
|
foreach my $storePath (sort (keys %{$patches})) {
|
2004-12-28 22:11:28 +01:00
|
|
|
|
my $patchList = $$patches{$storePath};
|
|
|
|
|
|
foreach my $patch (@{$patchList}) {
|
|
|
|
|
|
print MANIFEST "patch {\n";
|
|
|
|
|
|
print MANIFEST " StorePath: $storePath\n";
|
|
|
|
|
|
print MANIFEST " NarURL: $patch->{url}\n";
|
2005-03-14 16:09:53 +01:00
|
|
|
|
print MANIFEST " Hash: $patch->{hash}\n";
|
2004-12-28 22:11:28 +01:00
|
|
|
|
print MANIFEST " Size: $patch->{size}\n";
|
2010-11-17 15:31:42 +01:00
|
|
|
|
print MANIFEST " NarHash: $patch->{narHash}\n";
|
|
|
|
|
|
print MANIFEST " NarSize: $patch->{narSize}\n" if $patch->{narSize};
|
2004-12-28 22:11:28 +01:00
|
|
|
|
print MANIFEST " BasePath: $patch->{basePath}\n";
|
|
|
|
|
|
print MANIFEST " BaseHash: $patch->{baseHash}\n";
|
|
|
|
|
|
print MANIFEST " Type: $patch->{patchType}\n";
|
|
|
|
|
|
print MANIFEST "}\n";
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2012-09-13 17:35:46 +02:00
|
|
|
|
|
|
|
|
|
|
|
2004-12-28 22:11:28 +01:00
|
|
|
|
close MANIFEST;
|
2004-12-29 20:04:21 +01:00
|
|
|
|
|
|
|
|
|
|
rename("$manifest.tmp", $manifest)
|
|
|
|
|
|
or die "cannot rename $manifest.tmp: $!";
|
2007-09-04 17:38:09 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Create a bzipped manifest.
|
2010-11-29 16:26:28 +01:00
|
|
|
|
unless (defined $noCompress) {
|
2012-09-13 17:35:46 +02:00
|
|
|
|
system("$Nix::Config::bzip2 < $manifest > $manifest.bz2.tmp") == 0
|
|
|
|
|
|
or die "cannot compress manifest";
|
2007-09-04 17:38:09 +02:00
|
|
|
|
|
2012-09-13 17:35:46 +02:00
|
|
|
|
rename("$manifest.bz2.tmp", "$manifest.bz2")
|
|
|
|
|
|
or die "cannot rename $manifest.bz2.tmp: $!";
|
2010-11-29 16:26:28 +01:00
|
|
|
|
}
|
2004-12-28 22:11:28 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
2011-04-11 01:22:46 +02:00
|
|
|
|
sub updateManifestDB {
|
2011-10-10 23:11:08 +02:00
|
|
|
|
my $manifestDir = $Nix::Config::manifestDir;
|
2011-04-11 01:22:46 +02:00
|
|
|
|
|
2013-06-20 11:55:15 +02:00
|
|
|
|
my @manifests = glob "$manifestDir/*.nixmanifest";
|
|
|
|
|
|
return undef if scalar @manifests == 0;
|
|
|
|
|
|
|
2011-04-11 10:06:14 +02:00
|
|
|
|
mkpath($manifestDir);
|
2012-09-13 17:35:46 +02:00
|
|
|
|
|
2012-09-19 23:33:42 +02:00
|
|
|
|
unlink "$manifestDir/cache.sqlite"; # remove obsolete cache
|
|
|
|
|
|
my $dbPath = "$manifestDir/cache-v2.sqlite";
|
2011-04-11 01:22:46 +02:00
|
|
|
|
|
|
|
|
|
|
# Open/create the database.
|
2011-04-11 15:16:54 +02:00
|
|
|
|
our $dbh = DBI->connect("dbi:SQLite:dbname=$dbPath", "", "")
|
2014-08-20 17:00:17 +02:00
|
|
|
|
or die "cannot open database ‘$dbPath’";
|
2011-04-11 01:22:46 +02:00
|
|
|
|
$dbh->{RaiseError} = 1;
|
|
|
|
|
|
$dbh->{PrintError} = 0;
|
|
|
|
|
|
|
|
|
|
|
|
$dbh->do("pragma foreign_keys = on");
|
2011-07-13 16:05:54 +02:00
|
|
|
|
$dbh->do("pragma synchronous = off"); # we can always reproduce the cache
|
|
|
|
|
|
$dbh->do("pragma journal_mode = truncate");
|
2011-04-11 01:22:46 +02:00
|
|
|
|
|
|
|
|
|
|
# Initialise the database schema, if necessary.
|
|
|
|
|
|
$dbh->do(<<EOF);
|
|
|
|
|
|
create table if not exists Manifests (
|
|
|
|
|
|
id integer primary key autoincrement not null,
|
|
|
|
|
|
path text unique not null,
|
|
|
|
|
|
timestamp integer not null
|
|
|
|
|
|
);
|
|
|
|
|
|
EOF
|
2012-09-13 17:35:46 +02:00
|
|
|
|
|
2011-04-11 01:22:46 +02:00
|
|
|
|
$dbh->do(<<EOF);
|
|
|
|
|
|
create table if not exists NARs (
|
|
|
|
|
|
id integer primary key autoincrement not null,
|
|
|
|
|
|
manifest integer not null,
|
|
|
|
|
|
storePath text not null,
|
|
|
|
|
|
url text not null,
|
2012-09-19 23:33:42 +02:00
|
|
|
|
compressionType text not null,
|
2011-04-11 01:22:46 +02:00
|
|
|
|
hash text,
|
|
|
|
|
|
size integer,
|
|
|
|
|
|
narHash text,
|
|
|
|
|
|
narSize integer,
|
|
|
|
|
|
refs text,
|
|
|
|
|
|
deriver text,
|
|
|
|
|
|
system text,
|
|
|
|
|
|
foreign key (manifest) references Manifests(id) on delete cascade
|
|
|
|
|
|
);
|
|
|
|
|
|
EOF
|
|
|
|
|
|
|
|
|
|
|
|
$dbh->do("create index if not exists NARs_storePath on NARs(storePath)");
|
|
|
|
|
|
|
|
|
|
|
|
$dbh->do(<<EOF);
|
|
|
|
|
|
create table if not exists Patches (
|
|
|
|
|
|
id integer primary key autoincrement not null,
|
|
|
|
|
|
manifest integer not null,
|
|
|
|
|
|
storePath text not null,
|
|
|
|
|
|
basePath text not null,
|
|
|
|
|
|
baseHash text not null,
|
|
|
|
|
|
url text not null,
|
|
|
|
|
|
hash text,
|
|
|
|
|
|
size integer,
|
|
|
|
|
|
narHash text,
|
|
|
|
|
|
narSize integer,
|
|
|
|
|
|
patchType text not null,
|
|
|
|
|
|
foreign key (manifest) references Manifests(id) on delete cascade
|
|
|
|
|
|
);
|
|
|
|
|
|
EOF
|
|
|
|
|
|
|
|
|
|
|
|
$dbh->do("create index if not exists Patches_storePath on Patches(storePath)");
|
|
|
|
|
|
|
2011-04-11 14:40:13 +02:00
|
|
|
|
# Acquire an exclusive lock to ensure that only one process
|
|
|
|
|
|
# updates the DB at the same time. This isn't really necessary,
|
|
|
|
|
|
# but it prevents work duplication and lock contention in SQLite.
|
2011-10-10 23:11:08 +02:00
|
|
|
|
my $lockFile = "$manifestDir/cache.lock";
|
|
|
|
|
|
open MAINLOCK, ">>$lockFile" or die "unable to acquire lock ‘$lockFile’: $!\n";
|
2011-04-11 14:40:13 +02:00
|
|
|
|
flock(MAINLOCK, LOCK_EX) or die;
|
2011-04-11 01:22:46 +02:00
|
|
|
|
|
2011-11-16 12:37:40 +01:00
|
|
|
|
our $insertNAR = $dbh->prepare(
|
2012-09-19 23:33:42 +02:00
|
|
|
|
"insert into NARs(manifest, storePath, url, compressionType, hash, size, narHash, " .
|
|
|
|
|
|
"narSize, refs, deriver, system) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)") or die;
|
2011-11-16 12:37:40 +01:00
|
|
|
|
|
|
|
|
|
|
our $insertPatch = $dbh->prepare(
|
|
|
|
|
|
"insert into Patches(manifest, storePath, basePath, baseHash, url, hash, " .
|
|
|
|
|
|
"size, narHash, narSize, patchType) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)");
|
|
|
|
|
|
|
2011-07-13 16:05:54 +02:00
|
|
|
|
$dbh->begin_work;
|
|
|
|
|
|
|
2011-04-11 01:22:46 +02:00
|
|
|
|
# Read each manifest in $manifestDir and add it to the database,
|
|
|
|
|
|
# unless we've already done so on a previous run.
|
|
|
|
|
|
my %seen;
|
2012-09-13 17:35:46 +02:00
|
|
|
|
|
2013-06-20 11:55:15 +02:00
|
|
|
|
for my $manifestLink (@manifests) {
|
2011-11-16 17:41:48 +01:00
|
|
|
|
my $manifest = Cwd::abs_path($manifestLink);
|
2012-01-03 13:59:00 +01:00
|
|
|
|
next unless -f $manifest;
|
2011-04-11 01:22:46 +02:00
|
|
|
|
my $timestamp = lstat($manifest)->mtime;
|
|
|
|
|
|
$seen{$manifest} = 1;
|
|
|
|
|
|
|
|
|
|
|
|
next if scalar @{$dbh->selectcol_arrayref(
|
|
|
|
|
|
"select 1 from Manifests where path = ? and timestamp = ?",
|
|
|
|
|
|
{}, $manifest, $timestamp)} == 1;
|
|
|
|
|
|
|
2011-07-13 16:05:54 +02:00
|
|
|
|
print STDERR "caching $manifest...\n";
|
2012-09-13 17:35:46 +02:00
|
|
|
|
|
2011-04-11 01:22:46 +02:00
|
|
|
|
$dbh->do("delete from Manifests where path = ?", {}, $manifest);
|
2012-09-13 17:35:46 +02:00
|
|
|
|
|
2011-04-11 01:22:46 +02:00
|
|
|
|
$dbh->do("insert into Manifests(path, timestamp) values (?, ?)",
|
|
|
|
|
|
{}, $manifest, $timestamp);
|
|
|
|
|
|
|
2011-08-17 16:17:19 +02:00
|
|
|
|
our $id = $dbh->last_insert_id("", "", "", "");
|
2011-04-11 15:16:54 +02:00
|
|
|
|
|
|
|
|
|
|
sub addNARToDB {
|
|
|
|
|
|
my ($storePath, $narFile) = @_;
|
2011-11-16 12:37:40 +01:00
|
|
|
|
$insertNAR->execute(
|
2012-09-19 23:33:42 +02:00
|
|
|
|
$id, $storePath, $narFile->{url}, $narFile->{compressionType}, $narFile->{hash},
|
|
|
|
|
|
$narFile->{size}, $narFile->{narHash}, $narFile->{narSize}, $narFile->{references},
|
2011-04-11 15:16:54 +02:00
|
|
|
|
$narFile->{deriver}, $narFile->{system});
|
|
|
|
|
|
};
|
2012-09-13 17:35:46 +02:00
|
|
|
|
|
2011-04-11 15:16:54 +02:00
|
|
|
|
sub addPatchToDB {
|
|
|
|
|
|
my ($storePath, $patch) = @_;
|
2011-11-16 12:37:40 +01:00
|
|
|
|
$insertPatch->execute(
|
|
|
|
|
|
$id, $storePath, $patch->{basePath}, $patch->{baseHash}, $patch->{url},
|
2011-04-11 15:16:54 +02:00
|
|
|
|
$patch->{hash}, $patch->{size}, $patch->{narHash}, $patch->{narSize},
|
|
|
|
|
|
$patch->{patchType});
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
my $version = readManifest_($manifest, \&addNARToDB, \&addPatchToDB);
|
2012-09-13 17:35:46 +02:00
|
|
|
|
|
2011-04-11 15:16:54 +02:00
|
|
|
|
if ($version < 3) {
|
2014-08-20 17:00:17 +02:00
|
|
|
|
die "you have an old-style or corrupt manifest ‘$manifestLink’; please delete it\n";
|
2011-04-11 01:22:46 +02:00
|
|
|
|
}
|
2011-04-11 15:16:54 +02:00
|
|
|
|
if ($version >= 10) {
|
2014-08-20 17:00:17 +02:00
|
|
|
|
die "manifest ‘$manifestLink’ is too new; please delete it or upgrade Nix\n";
|
2011-04-11 01:22:46 +02:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
# Removed cached information for removed manifests from the DB.
|
|
|
|
|
|
foreach my $manifest (@{$dbh->selectcol_arrayref("select path from Manifests")}) {
|
|
|
|
|
|
next if defined $seen{$manifest};
|
|
|
|
|
|
$dbh->do("delete from Manifests where path = ?", {}, $manifest);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
$dbh->commit;
|
|
|
|
|
|
|
2011-04-11 14:40:13 +02:00
|
|
|
|
close MAINLOCK;
|
|
|
|
|
|
|
2011-04-11 01:22:46 +02:00
|
|
|
|
return $dbh;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
2012-09-13 17:35:46 +02:00
|
|
|
|
# Delete all old manifests downloaded from a given URL.
|
|
|
|
|
|
sub deleteOldManifests {
|
|
|
|
|
|
my ($url, $curUrlFile) = @_;
|
|
|
|
|
|
for my $urlFile (glob "$Nix::Config::manifestDir/*.url") {
|
|
|
|
|
|
next if defined $curUrlFile && $urlFile eq $curUrlFile;
|
|
|
|
|
|
open URL, "<$urlFile" or die;
|
|
|
|
|
|
my $url2 = <URL>;
|
|
|
|
|
|
chomp $url2;
|
|
|
|
|
|
close URL;
|
|
|
|
|
|
next unless $url eq $url2;
|
|
|
|
|
|
my $base = $urlFile; $base =~ s/.url$//;
|
|
|
|
|
|
unlink "${base}.url";
|
|
|
|
|
|
unlink "${base}.nixmanifest";
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
2015-02-04 17:59:31 +01:00
|
|
|
|
# Return a fingerprint of a store path to be used in binary cache
|
|
|
|
|
|
# signatures. It contains the store path, the SHA-256 hash of the
|
|
|
|
|
|
# contents of the path, and the references.
|
|
|
|
|
|
sub fingerprintPath {
|
2015-02-17 13:16:58 +01:00
|
|
|
|
my ($storePath, $narHash, $narSize, $references) = @_;
|
2015-02-04 17:59:31 +01:00
|
|
|
|
die if substr($storePath, 0, length($Nix::Config::storeDir)) ne $Nix::Config::storeDir;
|
|
|
|
|
|
die if substr($narHash, 0, 7) ne "sha256:";
|
|
|
|
|
|
die if length($narHash) != 59;
|
|
|
|
|
|
foreach my $ref (@{$references}) {
|
|
|
|
|
|
die if substr($ref, 0, length($Nix::Config::storeDir)) ne $Nix::Config::storeDir;
|
|
|
|
|
|
}
|
2015-02-17 13:16:58 +01:00
|
|
|
|
return "1;" . $storePath . ";" . $narHash . ";" . $narSize . ";" . join(",", @{$references});
|
2015-02-04 17:59:31 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
2012-10-17 22:45:04 +02:00
|
|
|
|
# Parse a NAR info file.
|
|
|
|
|
|
sub parseNARInfo {
|
Support cryptographically signed binary caches
NAR info files in binary caches can now have a cryptographic signature
that Nix will verify before using the corresponding NAR file.
To create a private/public key pair for signing and verifying a binary
cache, do:
$ openssl genrsa -out ./cache-key.sec 2048
$ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub
You should also come up with a symbolic name for the key, such as
"cache.example.org-1". This will be used by clients to look up the
public key. (It's a good idea to number keys, in case you ever need
to revoke/replace one.)
To create a binary cache signed with the private key:
$ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1
The public key (cache-key.pub) should be distributed to the clients.
They should have a nix.conf should contain something like:
signed-binary-caches = *
binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub
If all works well, then if Nix fetches something from the signed
binary cache, you will see a message like:
*** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’...
On the other hand, if the signature is wrong, you get a message like
NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring
Signatures are implemented as a single line appended to the NAR info
file, which looks like this:
Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ==
Thus the signature has 3 fields: a version (currently "1"), the ID of
key, and the base64-encoded signature of the SHA-256 hash of the
contents of the NAR info file up to but not including the Signature
line.
Issue #75.
2014-01-08 15:23:41 +01:00
|
|
|
|
my ($storePath, $content, $requireValidSig, $location) = @_;
|
2012-10-17 22:45:04 +02:00
|
|
|
|
|
Support cryptographically signed binary caches
NAR info files in binary caches can now have a cryptographic signature
that Nix will verify before using the corresponding NAR file.
To create a private/public key pair for signing and verifying a binary
cache, do:
$ openssl genrsa -out ./cache-key.sec 2048
$ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub
You should also come up with a symbolic name for the key, such as
"cache.example.org-1". This will be used by clients to look up the
public key. (It's a good idea to number keys, in case you ever need
to revoke/replace one.)
To create a binary cache signed with the private key:
$ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1
The public key (cache-key.pub) should be distributed to the clients.
They should have a nix.conf should contain something like:
signed-binary-caches = *
binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub
If all works well, then if Nix fetches something from the signed
binary cache, you will see a message like:
*** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’...
On the other hand, if the signature is wrong, you get a message like
NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring
Signatures are implemented as a single line appended to the NAR info
file, which looks like this:
Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ==
Thus the signature has 3 fields: a version (currently "1"), the ID of
key, and the base64-encoded signature of the SHA-256 hash of the
contents of the NAR info file up to but not including the Signature
line.
Issue #75.
2014-01-08 15:23:41 +01:00
|
|
|
|
my ($storePath2, $url, $fileHash, $fileSize, $narHash, $narSize, $deriver, $system, $sig);
|
2012-10-17 22:45:04 +02:00
|
|
|
|
my $compression = "bzip2";
|
|
|
|
|
|
my @refs;
|
|
|
|
|
|
|
|
|
|
|
|
foreach my $line (split "\n", $content) {
|
|
|
|
|
|
return undef unless $line =~ /^(.*): (.*)$/;
|
|
|
|
|
|
if ($1 eq "StorePath") { $storePath2 = $2; }
|
|
|
|
|
|
elsif ($1 eq "URL") { $url = $2; }
|
|
|
|
|
|
elsif ($1 eq "Compression") { $compression = $2; }
|
|
|
|
|
|
elsif ($1 eq "FileHash") { $fileHash = $2; }
|
|
|
|
|
|
elsif ($1 eq "FileSize") { $fileSize = int($2); }
|
|
|
|
|
|
elsif ($1 eq "NarHash") { $narHash = $2; }
|
|
|
|
|
|
elsif ($1 eq "NarSize") { $narSize = int($2); }
|
|
|
|
|
|
elsif ($1 eq "References") { @refs = split / /, $2; }
|
|
|
|
|
|
elsif ($1 eq "Deriver") { $deriver = $2; }
|
|
|
|
|
|
elsif ($1 eq "System") { $system = $2; }
|
2015-02-04 17:59:31 +01:00
|
|
|
|
elsif ($1 eq "Sig") { $sig = $2; }
|
2012-10-17 22:45:04 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return undef if $storePath ne $storePath2 || !defined $url || !defined $narHash;
|
|
|
|
|
|
|
Support cryptographically signed binary caches
NAR info files in binary caches can now have a cryptographic signature
that Nix will verify before using the corresponding NAR file.
To create a private/public key pair for signing and verifying a binary
cache, do:
$ openssl genrsa -out ./cache-key.sec 2048
$ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub
You should also come up with a symbolic name for the key, such as
"cache.example.org-1". This will be used by clients to look up the
public key. (It's a good idea to number keys, in case you ever need
to revoke/replace one.)
To create a binary cache signed with the private key:
$ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1
The public key (cache-key.pub) should be distributed to the clients.
They should have a nix.conf should contain something like:
signed-binary-caches = *
binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub
If all works well, then if Nix fetches something from the signed
binary cache, you will see a message like:
*** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’...
On the other hand, if the signature is wrong, you get a message like
NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring
Signatures are implemented as a single line appended to the NAR info
file, which looks like this:
Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ==
Thus the signature has 3 fields: a version (currently "1"), the ID of
key, and the base64-encoded signature of the SHA-256 hash of the
contents of the NAR info file up to but not including the Signature
line.
Issue #75.
2014-01-08 15:23:41 +01:00
|
|
|
|
my $res =
|
2012-10-17 22:45:04 +02:00
|
|
|
|
{ url => $url
|
|
|
|
|
|
, compression => $compression
|
|
|
|
|
|
, fileHash => $fileHash
|
|
|
|
|
|
, fileSize => $fileSize
|
|
|
|
|
|
, narHash => $narHash
|
|
|
|
|
|
, narSize => $narSize
|
|
|
|
|
|
, refs => [ @refs ]
|
|
|
|
|
|
, deriver => $deriver
|
|
|
|
|
|
, system => $system
|
|
|
|
|
|
};
|
Support cryptographically signed binary caches
NAR info files in binary caches can now have a cryptographic signature
that Nix will verify before using the corresponding NAR file.
To create a private/public key pair for signing and verifying a binary
cache, do:
$ openssl genrsa -out ./cache-key.sec 2048
$ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub
You should also come up with a symbolic name for the key, such as
"cache.example.org-1". This will be used by clients to look up the
public key. (It's a good idea to number keys, in case you ever need
to revoke/replace one.)
To create a binary cache signed with the private key:
$ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1
The public key (cache-key.pub) should be distributed to the clients.
They should have a nix.conf should contain something like:
signed-binary-caches = *
binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub
If all works well, then if Nix fetches something from the signed
binary cache, you will see a message like:
*** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’...
On the other hand, if the signature is wrong, you get a message like
NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring
Signatures are implemented as a single line appended to the NAR info
file, which looks like this:
Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ==
Thus the signature has 3 fields: a version (currently "1"), the ID of
key, and the base64-encoded signature of the SHA-256 hash of the
contents of the NAR info file up to but not including the Signature
line.
Issue #75.
2014-01-08 15:23:41 +01:00
|
|
|
|
|
|
|
|
|
|
if ($requireValidSig) {
|
2015-02-04 17:59:31 +01:00
|
|
|
|
# FIXME: might be useful to support multiple signatures per .narinfo.
|
|
|
|
|
|
|
Support cryptographically signed binary caches
NAR info files in binary caches can now have a cryptographic signature
that Nix will verify before using the corresponding NAR file.
To create a private/public key pair for signing and verifying a binary
cache, do:
$ openssl genrsa -out ./cache-key.sec 2048
$ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub
You should also come up with a symbolic name for the key, such as
"cache.example.org-1". This will be used by clients to look up the
public key. (It's a good idea to number keys, in case you ever need
to revoke/replace one.)
To create a binary cache signed with the private key:
$ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1
The public key (cache-key.pub) should be distributed to the clients.
They should have a nix.conf should contain something like:
signed-binary-caches = *
binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub
If all works well, then if Nix fetches something from the signed
binary cache, you will see a message like:
*** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’...
On the other hand, if the signature is wrong, you get a message like
NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring
Signatures are implemented as a single line appended to the NAR info
file, which looks like this:
Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ==
Thus the signature has 3 fields: a version (currently "1"), the ID of
key, and the base64-encoded signature of the SHA-256 hash of the
contents of the NAR info file up to but not including the Signature
line.
Issue #75.
2014-01-08 15:23:41 +01:00
|
|
|
|
if (!defined $sig) {
|
2014-08-20 17:00:17 +02:00
|
|
|
|
warn "NAR info file ‘$location’ lacks a signature; ignoring\n";
|
Support cryptographically signed binary caches
NAR info files in binary caches can now have a cryptographic signature
that Nix will verify before using the corresponding NAR file.
To create a private/public key pair for signing and verifying a binary
cache, do:
$ openssl genrsa -out ./cache-key.sec 2048
$ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub
You should also come up with a symbolic name for the key, such as
"cache.example.org-1". This will be used by clients to look up the
public key. (It's a good idea to number keys, in case you ever need
to revoke/replace one.)
To create a binary cache signed with the private key:
$ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1
The public key (cache-key.pub) should be distributed to the clients.
They should have a nix.conf should contain something like:
signed-binary-caches = *
binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub
If all works well, then if Nix fetches something from the signed
binary cache, you will see a message like:
*** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’...
On the other hand, if the signature is wrong, you get a message like
NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring
Signatures are implemented as a single line appended to the NAR info
file, which looks like this:
Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ==
Thus the signature has 3 fields: a version (currently "1"), the ID of
key, and the base64-encoded signature of the SHA-256 hash of the
contents of the NAR info file up to but not including the Signature
line.
Issue #75.
2014-01-08 15:23:41 +01:00
|
|
|
|
return undef;
|
|
|
|
|
|
}
|
2015-02-04 17:59:31 +01:00
|
|
|
|
my ($keyName, $sig64) = split ":", $sig;
|
Support cryptographically signed binary caches
NAR info files in binary caches can now have a cryptographic signature
that Nix will verify before using the corresponding NAR file.
To create a private/public key pair for signing and verifying a binary
cache, do:
$ openssl genrsa -out ./cache-key.sec 2048
$ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub
You should also come up with a symbolic name for the key, such as
"cache.example.org-1". This will be used by clients to look up the
public key. (It's a good idea to number keys, in case you ever need
to revoke/replace one.)
To create a binary cache signed with the private key:
$ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1
The public key (cache-key.pub) should be distributed to the clients.
They should have a nix.conf should contain something like:
signed-binary-caches = *
binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub
If all works well, then if Nix fetches something from the signed
binary cache, you will see a message like:
*** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’...
On the other hand, if the signature is wrong, you get a message like
NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring
Signatures are implemented as a single line appended to the NAR info
file, which looks like this:
Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ==
Thus the signature has 3 fields: a version (currently "1"), the ID of
key, and the base64-encoded signature of the SHA-256 hash of the
contents of the NAR info file up to but not including the Signature
line.
Issue #75.
2014-01-08 15:23:41 +01:00
|
|
|
|
return undef unless defined $keyName && defined $sig64;
|
2015-02-04 16:43:32 +01:00
|
|
|
|
|
|
|
|
|
|
my $publicKey = $Nix::Config::binaryCachePublicKeys{$keyName};
|
|
|
|
|
|
if (!defined $publicKey) {
|
2014-08-20 17:00:17 +02:00
|
|
|
|
warn "NAR info file ‘$location’ is signed by unknown key ‘$keyName’; ignoring\n";
|
Support cryptographically signed binary caches
NAR info files in binary caches can now have a cryptographic signature
that Nix will verify before using the corresponding NAR file.
To create a private/public key pair for signing and verifying a binary
cache, do:
$ openssl genrsa -out ./cache-key.sec 2048
$ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub
You should also come up with a symbolic name for the key, such as
"cache.example.org-1". This will be used by clients to look up the
public key. (It's a good idea to number keys, in case you ever need
to revoke/replace one.)
To create a binary cache signed with the private key:
$ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1
The public key (cache-key.pub) should be distributed to the clients.
They should have a nix.conf should contain something like:
signed-binary-caches = *
binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub
If all works well, then if Nix fetches something from the signed
binary cache, you will see a message like:
*** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’...
On the other hand, if the signature is wrong, you get a message like
NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring
Signatures are implemented as a single line appended to the NAR info
file, which looks like this:
Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ==
Thus the signature has 3 fields: a version (currently "1"), the ID of
key, and the base64-encoded signature of the SHA-256 hash of the
contents of the NAR info file up to but not including the Signature
line.
Issue #75.
2014-01-08 15:23:41 +01:00
|
|
|
|
return undef;
|
|
|
|
|
|
}
|
2015-02-04 16:43:32 +01:00
|
|
|
|
|
2015-06-03 15:19:32 +02:00
|
|
|
|
my $fingerprint;
|
|
|
|
|
|
eval {
|
|
|
|
|
|
$fingerprint = fingerprintPath(
|
|
|
|
|
|
$storePath, $narHash, $narSize,
|
|
|
|
|
|
[ map { "$Nix::Config::storeDir/$_" } @refs ]);
|
|
|
|
|
|
};
|
|
|
|
|
|
if ($@) {
|
|
|
|
|
|
warn "cannot compute fingerprint of ‘$location’; ignoring\n";
|
|
|
|
|
|
return undef;
|
|
|
|
|
|
}
|
2015-02-04 17:59:31 +01:00
|
|
|
|
|
|
|
|
|
|
if (!checkSignature($publicKey, decode_base64($sig64), $fingerprint)) {
|
2015-02-04 16:43:32 +01:00
|
|
|
|
warn "NAR info file ‘$location’ has an incorrect signature; ignoring\n";
|
Support cryptographically signed binary caches
NAR info files in binary caches can now have a cryptographic signature
that Nix will verify before using the corresponding NAR file.
To create a private/public key pair for signing and verifying a binary
cache, do:
$ openssl genrsa -out ./cache-key.sec 2048
$ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub
You should also come up with a symbolic name for the key, such as
"cache.example.org-1". This will be used by clients to look up the
public key. (It's a good idea to number keys, in case you ever need
to revoke/replace one.)
To create a binary cache signed with the private key:
$ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1
The public key (cache-key.pub) should be distributed to the clients.
They should have a nix.conf should contain something like:
signed-binary-caches = *
binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub
If all works well, then if Nix fetches something from the signed
binary cache, you will see a message like:
*** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’...
On the other hand, if the signature is wrong, you get a message like
NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring
Signatures are implemented as a single line appended to the NAR info
file, which looks like this:
Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ==
Thus the signature has 3 fields: a version (currently "1"), the ID of
key, and the base64-encoded signature of the SHA-256 hash of the
contents of the NAR info file up to but not including the Signature
line.
Issue #75.
2014-01-08 15:23:41 +01:00
|
|
|
|
return undef;
|
|
|
|
|
|
}
|
2015-02-04 17:59:31 +01:00
|
|
|
|
|
Support cryptographically signed binary caches
NAR info files in binary caches can now have a cryptographic signature
that Nix will verify before using the corresponding NAR file.
To create a private/public key pair for signing and verifying a binary
cache, do:
$ openssl genrsa -out ./cache-key.sec 2048
$ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub
You should also come up with a symbolic name for the key, such as
"cache.example.org-1". This will be used by clients to look up the
public key. (It's a good idea to number keys, in case you ever need
to revoke/replace one.)
To create a binary cache signed with the private key:
$ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1
The public key (cache-key.pub) should be distributed to the clients.
They should have a nix.conf should contain something like:
signed-binary-caches = *
binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub
If all works well, then if Nix fetches something from the signed
binary cache, you will see a message like:
*** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’...
On the other hand, if the signature is wrong, you get a message like
NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring
Signatures are implemented as a single line appended to the NAR info
file, which looks like this:
Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ==
Thus the signature has 3 fields: a version (currently "1"), the ID of
key, and the base64-encoded signature of the SHA-256 hash of the
contents of the NAR info file up to but not including the Signature
line.
Issue #75.
2014-01-08 15:23:41 +01:00
|
|
|
|
$res->{signedBy} = $keyName;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return $res;
|
2012-10-17 22:45:04 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
2003-12-05 12:25:38 +01:00
|
|
|
|
return 1;
|