nix sign-paths: Support binary caches

2017-11-14 18:44:05 +01:00 · 2017-11-14 18:44:05 +01:00 · ec5b04862b
commit ec5b04862b
parent d6dbda7004
3 changed files with 43 additions and 15 deletions
--- a/src/libstore/binary-cache-store.cc
+++ b/src/libstore/binary-cache-store.cc
@ -73,6 +73,23 @@ Path BinaryCacheStore::narInfoFileFor(const Path & storePath)
    return storePathToHash(storePath) + ".narinfo";
 }

+void BinaryCacheStore::writeNarInfo(ref<NarInfo> narInfo)
+{
+    auto narInfoFile = narInfoFileFor(narInfo->path);
+
+    upsertFile(narInfoFile, narInfo->to_string(), "text/x-nix-narinfo");
+
+    auto hashPart = storePathToHash(narInfo->path);
+
+    {
+        auto state_(state.lock());
+        state_->pathInfoCache.upsert(hashPart, std::shared_ptr<NarInfo>(narInfo));
+    }
+
+    if (diskCache)
+        diskCache->upsertNarInfo(getUri(), hashPart, std::shared_ptr<NarInfo>(narInfo));
+}
+
 void BinaryCacheStore::addToStore(const ValidPathInfo & info, const ref<std::string> & nar,
    RepairFlag repair, CheckSigsFlag checkSigs, std::shared_ptr<FSAccessor> accessor)
 {
@ -89,8 +106,6 @@ void BinaryCacheStore::addToStore(const ValidPathInfo & info, const ref<std::str
                % info.path % ref);
        }

-    auto narInfoFile = narInfoFileFor(info.path);
-
    assert(nar->compare(0, narMagic.size(), narMagic) == 0);

    auto narInfo = make_ref<NarInfo>(info);
@ -168,17 +183,7 @@ void BinaryCacheStore::addToStore(const ValidPathInfo & info, const ref<std::str
    /* Atomically write the NAR info file.*/
    if (secretKey) narInfo->sign(*secretKey);

-    upsertFile(narInfoFile, narInfo->to_string(), "text/x-nix-narinfo");
-
-    auto hashPart = storePathToHash(narInfo->path);
-
-    {
-        auto state_(state.lock());
-        state_->pathInfoCache.upsert(hashPart, std::shared_ptr<NarInfo>(narInfo));
-    }
-
-    if (diskCache)
-        diskCache->upsertNarInfo(getUri(), hashPart, std::shared_ptr<NarInfo>(narInfo));
+    writeNarInfo(narInfo);

    stats.narInfoWrite++;
 }
@ -293,6 +298,22 @@ ref<FSAccessor> BinaryCacheStore::getFSAccessor()
    return make_ref<RemoteFSAccessor>(ref<Store>(shared_from_this()), localNarCache);
 }

+void BinaryCacheStore::addSignatures(const Path & storePath, const StringSet & sigs)
+{
+    /* Note: this is inherently racy since there is no locking on
+       binary caches. In particular, with S3 this unreliable, even
+       when addSignatures() is called sequentially on a path, because
+       S3 might return an outdated cached version. */
+
+    auto narInfo = make_ref<NarInfo>((NarInfo &) *queryPathInfo(storePath));
+
+    narInfo->sigs.insert(sigs.begin(), sigs.end());
+
+    auto narInfoFile = narInfoFileFor(narInfo->path);
+
+    writeNarInfo(narInfo);
+}
+
 std::shared_ptr<std::string> BinaryCacheStore::getBuildLog(const Path & path)
 {
    Path drvPath;
--- a/src/libstore/binary-cache-store.hh
+++ b/src/libstore/binary-cache-store.hh
@ -59,6 +59,8 @@ private:

    std::string narInfoFileFor(const Path & storePath);

+    void writeNarInfo(ref<NarInfo> narInfo);
+
 public:

    bool isValidPathUncached(const Path & path) override;
@ -119,8 +121,7 @@ public:

    ref<FSAccessor> getFSAccessor() override;

-    void addSignatures(const Path & storePath, const StringSet & sigs) override
-    { unsupported(); }
+    void addSignatures(const Path & storePath, const StringSet & sigs) override;

    std::shared_ptr<std::string> getBuildLog(const Path & path) override;

--- a/tests/signing.sh
+++ b/tests/signing.sh
@ -60,3 +60,9 @@ info=$(nix path-info --store file://$cacheDir --json $outPath2)
 (! [[ $info =~ '"ultimate":true' ]])
 [[ $info =~ 'cache1.example.org' ]]
 (! [[ $info =~ 'cache2.example.org' ]])
+
+# Verify that adding a signature to a path in a binary cache works.
+nix sign-paths --store file://$cacheDir --key-file $TEST_ROOT/sk2 $outPath2
+info=$(nix path-info --store file://$cacheDir --json $outPath2)
+[[ $info =~ 'cache1.example.org' ]]
+[[ $info =~ 'cache2.example.org' ]]