mirror of
https://github.com/privatevoid-net/nix-super.git
synced 2024-11-22 22:16:16 +02:00
Properly sign the unresolved drvs
Don't let them inherit the signature from the parent one (because it makes no sense to do so), but re-sign them after they have been built
This commit is contained in:
parent
54ced9072b
commit
703c98c6cb
4 changed files with 13 additions and 1 deletions
|
@ -925,6 +925,8 @@ void DerivationGoal::resolvedFinished() {
|
|||
if (realisation) {
|
||||
auto newRealisation = *realisation;
|
||||
newRealisation.id = DrvOutput{initialOutputs.at(wantedOutput).outputHash, wantedOutput};
|
||||
newRealisation.signatures.clear();
|
||||
signRealisation(newRealisation);
|
||||
worker.store.registerDrvOutput(newRealisation);
|
||||
} else {
|
||||
// If we don't have a realisation, then it must mean that something
|
||||
|
|
|
@ -180,6 +180,9 @@ struct DerivationGoal : public Goal
|
|||
/* Open a log file and a pipe to it. */
|
||||
Path openLogFile();
|
||||
|
||||
/* Sign the newly built realisation if the store allows it */
|
||||
virtual void signRealisation(Realisation&) {}
|
||||
|
||||
/* Close the log file. */
|
||||
void closeLogFile();
|
||||
|
||||
|
|
|
@ -2620,12 +2620,17 @@ void LocalDerivationGoal::registerOutputs()
|
|||
.id = DrvOutput{initialOutputs.at(outputName).outputHash,
|
||||
outputName},
|
||||
.outPath = newInfo.path};
|
||||
getLocalStore().signRealisation(thisRealisation);
|
||||
signRealisation(thisRealisation);
|
||||
worker.store.registerDrvOutput(thisRealisation);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
void LocalDerivationGoal::signRealisation(Realisation & realisation)
|
||||
{
|
||||
getLocalStore().signRealisation(realisation);
|
||||
}
|
||||
|
||||
|
||||
void LocalDerivationGoal::checkOutputs(const std::map<Path, ValidPathInfo> & outputs)
|
||||
{
|
||||
|
|
|
@ -161,6 +161,8 @@ struct LocalDerivationGoal : public DerivationGoal
|
|||
as valid. */
|
||||
void registerOutputs() override;
|
||||
|
||||
void signRealisation(Realisation &) override;
|
||||
|
||||
/* Check that an output meets the requirements specified by the
|
||||
'outputChecks' attribute (or the legacy
|
||||
'{allowed,disallowed}{References,Requisites}' attributes). */
|
||||
|
|
Loading…
Reference in a new issue