max/nix-super
1
0
Fork 0
mirror of https://github.com/privatevoid-net/nix-super.git synced 2024-09-21 08:58:04 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions
nix-super/src/nix/verify.cc
Eelco Dolstra 39a6abc0bc nix verify: Support checking against signatures in other stores 
Typical usage is to check local paths using the signatures from a
binary cache:

  $ nix verify-paths -r /run/current-system -s https://cache.nixos.org
  path ‘/nix/store/c1k4zqfb74wba5sn4yflb044gvap0x6k-nixos-system-mandark-16.03.git.fc2d7a5M’ is untrusted
  ...
  checked 844 paths, 119 untrusted
2016-03-30 11:39:34 +02:00

196 lines
5.3 KiB
C++
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#include "affinity.hh" // FIXME
#include "command.hh"
#include "progress-bar.hh"
#include "shared.hh"
#include "store-api.hh"
#include "sync.hh"
#include "thread-pool.hh"
#include <atomic>
using namespace nix;
struct MixVerify : virtual Args
{
bool noContents = false;
bool noSigs = false;
Strings substituterUris;
MixVerify()
{
mkFlag(0, "no-contents", "do not verify the contents of each store path", &noContents);
mkFlag(0, "no-sigs", "do not verify whether each store path has a valid signature", &noSigs);
mkFlag('s', "substituter", {"store-uri"}, "use signatures from specified store", 1,
[&](Strings ss) { substituterUris.push_back(ss.front()); });
}
void verifyPaths(ref<Store> store, const Paths & storePaths)
{
restoreAffinity(); // FIXME
std::vector<ref<Store>> substituters;
for (auto & s : substituterUris)
substituters.push_back(openStoreAt(s));
auto publicKeys = getDefaultPublicKeys();
std::atomic<size_t> untrusted{0};
std::atomic<size_t> corrupted{0};
std::atomic<size_t> done{0};
std::atomic<size_t> failed{0};
ProgressBar progressBar;
auto showProgress = [&](bool final) {
std::string s;
if (final)
s = (format("checked %d paths") % storePaths.size()).str();
else
s = (format("[%d/%d checked") % done % storePaths.size()).str();
if (corrupted > 0)
s += (format(", %d corrupted") % corrupted).str();
if (untrusted > 0)
s += (format(", %d untrusted") % untrusted).str();
if (failed > 0)
s += (format(", %d failed") % failed).str();
if (!final) s += "]";
return s;
};
progressBar.updateStatus(showProgress(false));
ThreadPool pool;
auto doPath = [&](const Path & storePath) {
try {
checkInterrupt();
auto activity(progressBar.startActivity(format("checking %s") % storePath));
auto info = store->queryPathInfo(storePath);
if (!noContents) {
HashSink sink(info.narHash.type);
store->narFromPath(storePath, sink);
auto hash = sink.finish();
if (hash.first != info.narHash) {
corrupted = 1;
printMsg(lvlError,
format("path %s was modified! expected hash %s, got %s")
% storePath % printHash(info.narHash) % printHash(hash.first));
}
}
if (!noSigs) {
bool good = false;
if (info.ultimate)
good = true;
if (!good && info.checkSignatures(publicKeys))
good = true;
if (!good) {
for (auto & store2 : substituters) {
// FIXME: catch errors?
if (!store2->isValidPath(storePath)) continue;
auto info2 = store2->queryPathInfo(storePath);
auto info3(info);
info3.sigs = info2.sigs;
if (info3.checkSignatures(publicKeys)) {
good = true;
break;
}
}
}
if (!good) {
untrusted++;
printMsg(lvlError, format("path %s is untrusted") % storePath);
}
}
done++;
progressBar.updateStatus(showProgress(false));
} catch (Error & e) {
printMsg(lvlError, format(ANSI_RED "error:" ANSI_NORMAL " %s") % e.what());
failed++;
}
};
for (auto & storePath : storePaths)
pool.enqueue(std::bind(doPath, storePath));
pool.process();
progressBar.done();
printMsg(lvlInfo, showProgress(true));
throw Exit(
(corrupted ? 1 : 0) |
(untrusted ? 2 : 0) |
(failed ? 4 : 0));
}
};
struct CmdVerifyPaths : StorePathsCommand, MixVerify
{
CmdVerifyPaths()
{
}
std::string name() override
{
return "verify-paths";
}
std::string description() override
{
return "verify the integrity of store paths";
}
void run(ref<Store> store, Paths storePaths) override
{
verifyPaths(store, storePaths);
}
};
static RegisterCommand r1(make_ref<CmdVerifyPaths>());
struct CmdVerifyStore : StoreCommand, MixVerify
{
CmdVerifyStore()
{
}
std::string name() override
{
return "verify-store";
}
std::string description() override
{
return "verify the integrity of all paths in the Nix store";
}
void run(ref<Store> store) override
{
// FIXME: use store->verifyStore()?
PathSet validPaths = store->queryAllValidPaths();
verifyPaths(store, Paths(validPaths.begin(), validPaths.end()));
}
};
static RegisterCommand r2(make_ref<CmdVerifyStore>());
Reference in a new issue View git blame Copy permalink