wroclaw-git-backups/nix
1
0
Fork 0
mirror of https://github.com/NixOS/nix synced 2025-06-24 22:11:15 +02:00
Code Activity

Merge 5cad3c4f69 into 918ac6b2fc

Browse source
This commit is contained in:
the-sun-will-rise-tomorrow 2025-06-13 05:04:45 +00:00 committed by GitHub
commit 1104380be0
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 33 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

38
src/nix/verify.cc
View file

@ -69,6 +69,13 @@ struct CmdVerify : StorePathsCommand
auto publicKeys = getDefaultPublicKeys();
if (publicKeys.empty()) {
printMsg(lvlChatty, "not using any public keys.");
} else {
for (auto & pk : publicKeys)
printMsg(lvlChatty, "using public key: %s:%s", pk.first, base64Encode(pk.second.key));
}
Activity act(*logger, actVerifyPaths);
std::atomic<size_t> done{0};
@ -119,10 +126,11 @@ struct CmdVerify : StorePathsCommand
bool good = false;
if (info->ultimate && !sigsNeeded)
if (info->ultimate && !sigsNeeded) {
printMsg(lvlChatty, "path is ultimately trusted");
good = true;
else {
} else {
StringSet sigsSeen;
size_t actualSigsNeeded = std::max(sigsNeeded, (size_t) 1);
@ -131,12 +139,24 @@ struct CmdVerify : StorePathsCommand
auto doSigs = [&](StringSet sigs) {
for (const auto & sig : sigs) {
if (!sigsSeen.insert(sig).second) continue;
if (validSigs < ValidPathInfo::maxSigs && info->checkSignature(*store, publicKeys, sig))
if (verbosity >= lvlChatty) {
auto ss = BorrowedCryptoValue::parse(sig);
printMsg(lvlChatty, "path is signed with key: %s", ss.name);
}
if (validSigs < ValidPathInfo::maxSigs && info->checkSignature(*store, publicKeys, sig)) {
validSigs++;
if (validSigs == actualSigsNeeded)
printMsg(lvlChatty, "path has sufficient signatures");
}
}
};
if (info->isContentAddressed(*store)) validSigs = ValidPathInfo::maxSigs;
if (info->isContentAddressed(*store)) {
printMsg(lvlChatty, "path is content-addressed");
validSigs = ValidPathInfo::maxSigs;
}
doSigs(info->sigs);
@ -144,7 +164,10 @@ struct CmdVerify : StorePathsCommand
if (validSigs >= actualSigsNeeded) break;
try {
auto info2 = store2->queryPathInfo(info->path);
if (info2->isContentAddressed(*store)) validSigs = ValidPathInfo::maxSigs;
if (info2->isContentAddressed(*store)) {
printMsg(lvlChatty, "path is content-addressed");
validSigs = ValidPathInfo::maxSigs;
}
doSigs(info2->sigs);
} catch (InvalidPath &) {
} catch (Error & e) {
@ -152,6 +175,11 @@ struct CmdVerify : StorePathsCommand
}
}
if (sigsSeen.size() == 0)
printMsg(lvlChatty, "path does not have any signatures");
if (validSigs == 0)
printMsg(lvlChatty, "path does not have any valid signatures");
if (validSigs >= actualSigsNeeded)
good = true;
}