source common.sh requireGit [[ $(type -p ssh-keygen) ]] || skipTest "ssh-keygen not installed" # require ssh-keygen enableFeatures "verified-fetches" clearStore repo="$TEST_ROOT/git" # generate signing keys keysDir=$TEST_ROOT/.ssh mkdir -p "$keysDir" ssh-keygen -f "$keysDir/testkey1" -t ed25519 -P "" -C "test key 1" key1File="$keysDir/testkey1.pub" publicKey1=$(awk '{print $2}' "$key1File") ssh-keygen -f "$keysDir/testkey2" -t rsa -P "" -C "test key 2" key2File="$keysDir/testkey2.pub" publicKey2=$(awk '{print $2}' "$key2File") git init $repo git -C $repo config user.email "foobar@example.com" git -C $repo config user.name "Foobar" git -C $repo config gpg.format ssh echo 'hello' > $repo/text git -C $repo add text git -C $repo -c "user.signingkey=$key1File" commit -S -m 'initial commit' out=$(nix eval --impure --raw --expr "builtins.fetchGit { url = \"file://$repo\"; keytype = \"ssh-rsa\"; publicKey = \"$publicKey2\"; }" 2>&1) || status=$? [[ $status == 1 ]] [[ $out =~ 'No principal matched.' ]] [[ $(nix eval --impure --raw --expr "builtins.readFile (builtins.fetchGit { url = \"file://$repo\"; publicKey = \"$publicKey1\"; } + \"/text\")") = 'hello' ]] echo 'hello world' > $repo/text # Verification on a dirty repo should fail. out=$(nix eval --impure --raw --expr "builtins.fetchGit { url = \"file://$repo\"; keytype = \"ssh-rsa\"; publicKey = \"$publicKey2\"; }" 2>&1) || status=$? [[ $status == 1 ]] [[ $out =~ 'dirty' ]] git -C $repo add text git -C $repo -c "user.signingkey=$key2File" commit -S -m 'second commit' [[ $(nix eval --impure --raw --expr "builtins.readFile (builtins.fetchGit { url = \"file://$repo\"; publicKeys = [{key = \"$publicKey1\";} {type = \"ssh-rsa\"; key = \"$publicKey2\";}]; } + \"/text\")") = 'hello world' ]] # Flake input test flakeDir="$TEST_ROOT/flake" mkdir -p "$flakeDir" cat > "$flakeDir/flake.nix" < "$flakeDir/flake.nix" <&1) || status=$? [[ $status == 1 ]] [[ $out =~ 'No principal matched.' ]]