Allow to sign path as unprivileged user

User can now sign path as unprivileged/allowed user refs #1708
2023-06-27 12:01:08 +02:00 · 2023-06-27 12:01:08 +02:00 · 80c9259756
parent 8e770dac9f
commit 80c9259756
3 changed files with 18 additions and 2 deletions
--- a/doc/manual/src/release-notes/rl-next.md
+++ b/doc/manual/src/release-notes/rl-next.md
@ -1,3 +1,6 @@
 # Release X.Y (202?-??-??)

 - [`nix-channel`](../command-ref/nix-channel.md) now supports a `--list-generations` subcommand
+
+- Nix now allows unprivileged/[`allowed-users`](../command-ref/conf-file.md#conf-allowed-users) to sign paths.
+  Previously, only [`trusted-users`](../command-ref/conf-file.md#conf-trusted-users) users could sign paths.
--- a/src/libstore/daemon.cc
+++ b/src/libstore/daemon.cc
@ -864,8 +864,6 @@ static void performOp(TunnelLogger * logger, ref<Store> store,
        auto path = store->parseStorePath(readString(from));
        StringSet sigs = readStrings<StringSet>(from);
        logger->startWork();
-        if (!trusted)
-            throw Error("you are not privileged to add signatures");
        store->addSignatures(path, sigs);
        logger->stopWork();
        to << 1;
--- a/tests/nixos/authorization.nix
+++ b/tests/nixos/authorization.nix
@ -75,5 +75,20 @@
      su --login bob -c '(! nix-store --verify --repair 2>&1)' | tee diag 1>&2
      grep -F "you are not privileged to repair paths" diag
    """)
+
+    machine.succeed("""
+        set -x
+        su --login mallory -c '
+          nix-store --generate-binary-cache-key cache1.example.org sk1 pk1
+          (! nix store sign --key-file sk1 ${pathFour} 2>&1)' | tee diag 1>&2
+        grep -F "cannot open connection to remote store 'daemon'" diag
+    """)
+
+    machine.succeed("""
+        su --login bob -c '
+          nix-store --generate-binary-cache-key cache1.example.org sk1 pk1
+          nix store sign --key-file sk1 ${pathFour}
+        '
+    """)
  '';
 }