* Don't check the signature unless we have to.

src/libstore/local-store.cc

@@ -840,27 +840,29 @@ Path LocalStore::importPath(bool requireSignature, Source & source)
     if (haveSignature) {
         string signature = readString(hashAndReadSource);
 
-        Path sigFile = tmpDir + "/sig";
+        if (requireSignature) {
-        writeStringToFile(sigFile, signature);
+            Path sigFile = tmpDir + "/sig";
+            writeStringToFile(sigFile, signature);
 
-        Strings args;
+            Strings args;
-        args.push_back("rsautl");
+            args.push_back("rsautl");
-        args.push_back("-verify");
+            args.push_back("-verify");
-        args.push_back("-inkey");
+            args.push_back("-inkey");
-        args.push_back(nixConfDir + "/signing-key.pub");
+            args.push_back(nixConfDir + "/signing-key.pub");
-        args.push_back("-pubin");
+            args.push_back("-pubin");
-        args.push_back("-in");
+            args.push_back("-in");
-        args.push_back(sigFile);
+            args.push_back(sigFile);
-        string hash2 = runProgram("openssl", true, args);
+            string hash2 = runProgram("openssl", true, args);
 
-        /* Note: runProgram() throws an exception if the signature is
+            /* Note: runProgram() throws an exception if the signature
-           invalid. */
+               is invalid. */
 
-        if (printHash(hash) != hash2)
+            if (printHash(hash) != hash2)
-            throw Error(
+                throw Error(
-                "signed hash doesn't match actual contents of imported "
+                    "signed hash doesn't match actual contents of imported "
-                "archive; archive could be corrupt, or someone is trying "
+                    "archive; archive could be corrupt, or someone is trying "
-                "to import a Trojan horse");
+                    "to import a Trojan horse");
+        }
     }
 
     /* Do the actual import. */