Let build.cc verify the expected hash of a substituter's output

Since SubstitutionGoal::finished() in build.cc computes the hash anyway, we can prevent the inefficiency of computing the hash twice by letting the substituter tell Nix about the expected hash, which can then verify it.
2025-07-06 21:41:48 +02:00 · 2012-07-27 12:16:02 -04:00 · 2012-07-27 12:16:02 -04:00 · 73acb8b836
commit 73acb8b836
parent fbf59d95f6
5 changed files with 43 additions and 26 deletions
--- a/scripts/copy-from-other-stores.pl.in
+++ b/scripts/copy-from-other-stores.pl.in
@ -52,7 +52,7 @@ if ($ARGV[0] eq "--query") {
                next unless defined $store;

                $ENV{"NIX_DB_DIR"} = "$store/var/nix/db";
-            
+
                my $deriver = `@bindir@/nix-store --query --deriver $storePath`;
                die "cannot query deriver of `$storePath'" if $? != 0;
                chomp $deriver;
@ -87,9 +87,10 @@ elsif ($ARGV[0] eq "--substitute") {
    my $storePath = $ARGV[1];
    my ($store, $sourcePath) = findStorePath $storePath;
    die unless $store;
-    print "\n*** Copying `$storePath' from `$sourcePath'\n\n";
+    print STDERR "\n*** Copying `$storePath' from `$sourcePath'\n\n";
    system("$binDir/nix-store --dump $sourcePath | $binDir/nix-store --restore $storePath") == 0
        or die "cannot copy `$sourcePath' to `$storePath'";
+    print "\n"; # no hash to verify
 }


--- a/scripts/download-from-binary-cache.pl.in
+++ b/scripts/download-from-binary-cache.pl.in
@ -432,13 +432,10 @@ sub downloadBinary {
            die "download of `$info->{url}' failed" . ($! ? ": $!" : "") . "\n" unless $? == 0;
            next;
        }
-        # The hash in the manifest can be either in base-16 or
-        # base-32.  Handle both.
-        $info->{narHash} =~ /^sha256:(.*)$/ or die "invalid hash";
-        my $hash = $1;
-        my $hash2 = hashPath("sha256", 1, $storePath);
-        die "hash mismatch in downloaded path ‘$storePath’; expected $hash, got $hash2\n"
-            if $hash ne $hash2;
+
+        # Tell Nix about the expected hash so it can verify it.
+        print "$info->{narHash}\n";
+
        print STDERR "\n";
        return 1;
    }
--- a/scripts/download-using-manifests.pl.in
+++ b/scripts/download-using-manifests.pl.in
@ -353,19 +353,10 @@ while (scalar @path > 0) {
 }


-# Make sure that the hash declared in the manifest matches what we
-# downloaded and unpacked.
+# Tell Nix about the expected hash so it can verify it.
 die "cannot check integrity of the downloaded path since its hash is not known\n"
    unless defined $finalNarHash;
-
-my ($hashAlgo, $hash) = parseHash $finalNarHash;
-
-# The hash in the manifest can be either in base-16 or base-32.
-# Handle both.
-my $hash2 = hashPath($hashAlgo, $hashAlgo eq "sha256" && length($hash) != 64, $targetPath);
-
-die "hash mismatch in downloaded path $targetPath; expected $hash, got $hash2\n"
-    if $hash ne $hash2;
+print "$finalNarHash\n";


 print STDERR "\n";