wroclaw-git-backups/nix
1
0
Fork 0
mirror of https://github.com/NixOS/nix synced 2025-07-07 01:51:47 +02:00
Code Activity

Let build.cc verify the expected hash of a substituter's output

Browse source 
Since SubstitutionGoal::finished() in build.cc computes the hash
anyway, we can prevent the inefficiency of computing the hash twice by
letting the substituter tell Nix about the expected hash, which can
then verify it.
This commit is contained in:
Eelco Dolstra 2012-07-27 12:16:02 -04:00
parent fbf59d95f6
commit 73acb8b836
5 changed files with 43 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

11
scripts/download-from-binary-cache.pl.in
View file

@ -432,13 +432,10 @@ sub downloadBinary {
die "download of `$info->{url}' failed" . ($! ? ": $!" : "") . "\n" unless $? == 0;
next;
}
# The hash in the manifest can be either in base-16 or
# base-32. Handle both.
$info->{narHash} =~ /^sha256:(.*)$/ or die "invalid hash";
my $hash = $1;
my $hash2 = hashPath("sha256", 1, $storePath);
die "hash mismatch in downloaded path $storePath; expected $hash, got $hash2\n"
if $hash ne $hash2;
# Tell Nix about the expected hash so it can verify it.
print "$info->{narHash}\n";
print STDERR "\n";
return 1;
}