Skip to content

Comments

Sign the derivation outputs#4618

Merged
edolstra merged 4 commits intomasterfrom
ca/sign-drvoutputs
Mar 15, 2021
Merged

Sign the derivation outputs#4618
edolstra merged 4 commits intomasterfrom
ca/sign-drvoutputs

Conversation

@thufschmitt
Copy link
Member

@thufschmitt thufschmitt commented Mar 8, 2021

Add a signature field to the derivation outputs, and sign them (the same way we sign path-infos/nars).

Fix #4248

@thufschmitt thufschmitt added this to the ca-derivations-mvp milestone Mar 8, 2021
@thufschmitt thufschmitt added ca-derivations Derivations with content addressed outputs feature Feature request or proposal labels Mar 8, 2021
@thufschmitt thufschmitt requested a review from edolstra March 8, 2021 16:41
Ericson2314
Ericson2314 approved these changes Mar 10, 2021
View reviewed changes
Copy link
Member

@Ericson2314 Ericson2314 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did just a quick read through, but looks good.

@thufschmitt
Add some logic for signing realisations
826877c 
Not exposed anywhere, but built realisations are now signed (and this
should be forwarded when copy-ing them around)
@thufschmitt
pathInfoIsTrusted -> pathInfoIsUntrusted
3e6017f 
I guess the rationale behind the old name wath that
`pathInfoIsTrusted(info)` returns `true` iff we would need to `blindly`
trust the path (because it has no valid signature and `requireSigs` is
set), but I find it to be a really confusing footgun because it's quite
natural to give it the opposite meaning.
@thufschmitt
Check the signatures when copying store paths around
54ced90 
Broken atm
@thufschmitt
Properly sign the unresolved drvs
703c98c 
Don't let them inherit the signature from the parent one (because it
makes no sense to do so), but re-sign them after they have been built
@edolstra edolstra merged commit a5e21aa into master Mar 15, 2021
@edolstra edolstra deleted the ca/sign-drvoutputs branch March 15, 2021 15:35
@nixos-discourse
Copy link

nixos-discourse commented Apr 7, 2021

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/tweag-nix-dev-update-9/12357/1

@ldesgoui ldesgoui mentioned this pull request Aug 1, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Ericson2314 Ericson2314 Ericson2314 approved these changes

@edolstra edolstra Awaiting requested review from edolstra edolstra is a code owner

Assignees

No one assigned

Labels

ca-derivations Derivations with content addressed outputs feature Feature request or proposal

Projects

None yet

Milestone

ca-derivations-mvp

Development

Successfully merging this pull request may close these issues.

Add a signature to the output mappings for ca derivations

5 participants

@thufschmitt @nixos-discourse @Ericson2314 @sternenseemann @edolstra