mirror of
https://github.com/privatevoid-net/nix-super.git
synced 2024-11-10 08:16:15 +02:00
* Check that the file containing the secret key is secret.
This commit is contained in:
parent
bdadb98de8
commit
65f195f4c7
1 changed files with 14 additions and 1 deletions
|
@ -718,6 +718,16 @@ struct HashAndWriteSink : Sink
|
||||||
#define EXPORT_MAGIC 0x4558494e
|
#define EXPORT_MAGIC 0x4558494e
|
||||||
|
|
||||||
|
|
||||||
|
static void checkSecrecy(const Path & path)
|
||||||
|
{
|
||||||
|
struct stat st;
|
||||||
|
if (stat(path.c_str(), &st))
|
||||||
|
throw SysError(format("getting status of `%1%'") % path);
|
||||||
|
if ((st.st_mode & (S_IRWXG | S_IRWXO)) != 0)
|
||||||
|
throw Error(format("file `%1%' should be secret (inaccessible to everybody else)!") % path);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
void LocalStore::exportPath(const Path & path, bool sign,
|
void LocalStore::exportPath(const Path & path, bool sign,
|
||||||
Sink & sink)
|
Sink & sink)
|
||||||
{
|
{
|
||||||
|
@ -756,11 +766,14 @@ void LocalStore::exportPath(const Path & path, bool sign,
|
||||||
Path hashFile = tmpDir + "/hash";
|
Path hashFile = tmpDir + "/hash";
|
||||||
writeStringToFile(hashFile, printHash(hash));
|
writeStringToFile(hashFile, printHash(hash));
|
||||||
|
|
||||||
|
Path secretKey = nixConfDir + "/signing-key.sec";
|
||||||
|
checkSecrecy(secretKey);
|
||||||
|
|
||||||
Strings args;
|
Strings args;
|
||||||
args.push_back("rsautl");
|
args.push_back("rsautl");
|
||||||
args.push_back("-sign");
|
args.push_back("-sign");
|
||||||
args.push_back("-inkey");
|
args.push_back("-inkey");
|
||||||
args.push_back(nixConfDir + "/signing-key.sec");
|
args.push_back(secretKey);
|
||||||
args.push_back("-in");
|
args.push_back("-in");
|
||||||
args.push_back(hashFile);
|
args.push_back(hashFile);
|
||||||
string signature = runProgram("openssl", true, args);
|
string signature = runProgram("openssl", true, args);
|
||||||
|
|
Loading…
Reference in a new issue