Re-implement binary cache signature checking

This is now done in LocalStore::addToStore(), rather than in the
binary cache substituter (which no longer exists).

src/libstore/local-store.cc

@@ -58,6 +58,8 @@ LocalStore::LocalStore()
     : linksDir(settings.nixStore + "/.links")
     , reservedPath(settings.nixDBPath + "/reserved")
     , schemaPath(settings.nixDBPath + "/schema")
+    , requireSigs(settings.get("signed-binary-caches", std::string("")) != "") // FIXME: rename option
+    , publicKeys(getDefaultPublicKeys())
 {
     auto state(_state.lock());
 
@@ -909,6 +911,9 @@ void LocalStore::addToStore(const ValidPathInfo & info, const std::string & nar,
         throw Error(format("hash mismatch importing path ‘%s’; expected hash ‘%s’, got ‘%s’") %
             info.path % info.narHash.to_string() % h.to_string());
 
+    if (requireSigs && !info.checkSignatures(publicKeys))
+        throw Error(format("cannot import path ‘%s’ because it lacks a valid signature") % info.path);
+
     addTempRoot(info.path);
 
     if (repair || !isValidPath(info.path)) {

src/libstore/local-store.hh

@@ -77,6 +77,10 @@ private:
     const Path reservedPath;
     const Path schemaPath;
 
+    bool requireSigs;
+
+    PublicKeys publicKeys;
+
 public:
 
     /* Initialise the local store, upgrading the schema if

tests/binary-cache.sh

@@ -85,7 +85,7 @@ clearStore
 rm $(grep -l "StorePath:.*dependencies-input-2" $cacheDir/*.narinfo)
 
 nix-build --option binary-caches "file://$cacheDir" dependencies.nix -o $TEST_ROOT/result 2>&1 | tee $TEST_ROOT/log
-grep -q "Downloading" $TEST_ROOT/log
+grep -q "fetching path" $TEST_ROOT/log
 
 
 if [ -n "$HAVE_SODIUM" ]; then