mirror of
https://github.com/privatevoid-net/nix-super.git
synced 2024-11-14 10:16:15 +02:00
Allow to sign path as unprivileged user
User can now sign path as unprivileged/allowed user refs #1708
This commit is contained in:
parent
8e770dac9f
commit
80c9259756
3 changed files with 18 additions and 2 deletions
|
@ -1,3 +1,6 @@
|
||||||
# Release X.Y (202?-??-??)
|
# Release X.Y (202?-??-??)
|
||||||
|
|
||||||
- [`nix-channel`](../command-ref/nix-channel.md) now supports a `--list-generations` subcommand
|
- [`nix-channel`](../command-ref/nix-channel.md) now supports a `--list-generations` subcommand
|
||||||
|
|
||||||
|
- Nix now allows unprivileged/[`allowed-users`](../command-ref/conf-file.md#conf-allowed-users) to sign paths.
|
||||||
|
Previously, only [`trusted-users`](../command-ref/conf-file.md#conf-trusted-users) users could sign paths.
|
||||||
|
|
|
@ -864,8 +864,6 @@ static void performOp(TunnelLogger * logger, ref<Store> store,
|
||||||
auto path = store->parseStorePath(readString(from));
|
auto path = store->parseStorePath(readString(from));
|
||||||
StringSet sigs = readStrings<StringSet>(from);
|
StringSet sigs = readStrings<StringSet>(from);
|
||||||
logger->startWork();
|
logger->startWork();
|
||||||
if (!trusted)
|
|
||||||
throw Error("you are not privileged to add signatures");
|
|
||||||
store->addSignatures(path, sigs);
|
store->addSignatures(path, sigs);
|
||||||
logger->stopWork();
|
logger->stopWork();
|
||||||
to << 1;
|
to << 1;
|
||||||
|
|
|
@ -75,5 +75,20 @@
|
||||||
su --login bob -c '(! nix-store --verify --repair 2>&1)' | tee diag 1>&2
|
su --login bob -c '(! nix-store --verify --repair 2>&1)' | tee diag 1>&2
|
||||||
grep -F "you are not privileged to repair paths" diag
|
grep -F "you are not privileged to repair paths" diag
|
||||||
""")
|
""")
|
||||||
|
|
||||||
|
machine.succeed("""
|
||||||
|
set -x
|
||||||
|
su --login mallory -c '
|
||||||
|
nix-store --generate-binary-cache-key cache1.example.org sk1 pk1
|
||||||
|
(! nix store sign --key-file sk1 ${pathFour} 2>&1)' | tee diag 1>&2
|
||||||
|
grep -F "cannot open connection to remote store 'daemon'" diag
|
||||||
|
""")
|
||||||
|
|
||||||
|
machine.succeed("""
|
||||||
|
su --login bob -c '
|
||||||
|
nix-store --generate-binary-cache-key cache1.example.org sk1 pk1
|
||||||
|
nix store sign --key-file sk1 ${pathFour}
|
||||||
|
'
|
||||||
|
""")
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue