Add "nix verify-paths" command

Unlike "nix-store --verify-path", this command verifies signatures in addition to store path contents, is multi-threaded (especially useful when verifying binary caches), and has a progress indicator. Example use: $ nix verify-paths --store https://cache.nixos.org -r $(type -p thunderbird) ... [17/132 checked] checking ‘/nix/store/rawakphadqrqxr6zri2rmnxh03gqkrl3-autogen-5.18.6’
2025-06-29 06:21:14 +02:00 · 2016-03-29 14:29:50 +02:00 · 2016-03-29 14:29:50 +02:00 · 784ee35c80
commit 784ee35c80
parent 0ebe69dc67
11 changed files with 432 additions and 2 deletions
--- a/src/libstore/crypto.cc
+++ b/src/libstore/crypto.cc
@ -1,5 +1,6 @@
 #include "crypto.hh"
 #include "util.hh"
+#include "globals.hh"

 #if HAVE_SODIUM
 #include <sodium.h>
@ -98,4 +99,15 @@ bool verifyDetached(const std::string & data, const std::string & sig,
 #endif
 }

+PublicKeys getDefaultPublicKeys()
+{
+    PublicKeys publicKeys;
+    for (auto s : settings.get("binary-cache-public-keys", Strings())) {
+        PublicKey key(s);
+        publicKeys.emplace(key.name, key);
+        // FIXME: filter duplicates
+    }
+    return publicKeys;
+}
+
 }