Merge remote-tracking branch 'upstream/master' into trustless-remote-builder-simple

tests/binary-cache.sh

@@ -188,7 +188,7 @@ unset _NIX_FORCE_HTTP
 
 
 # Test 'nix verify --all' on a binary cache.
-nix verify -vvvvv --all --store file://$cacheDir --no-trust
+nix store verify -vvvvv --all --store file://$cacheDir --no-trust
 
 
 # Test local NAR caching.
@@ -196,13 +196,13 @@ narCache=$TEST_ROOT/nar-cache
 rm -rf $narCache
 mkdir $narCache
 
-[[ $(nix cat-store --store "file://$cacheDir?local-nar-cache=$narCache" $outPath/foobar) = FOOBAR ]]
+[[ $(nix store cat --store "file://$cacheDir?local-nar-cache=$narCache" $outPath/foobar) = FOOBAR ]]
 
 rm -rfv "$cacheDir/nar"
 
-[[ $(nix cat-store --store "file://$cacheDir?local-nar-cache=$narCache" $outPath/foobar) = FOOBAR ]]
+[[ $(nix store cat --store "file://$cacheDir?local-nar-cache=$narCache" $outPath/foobar) = FOOBAR ]]
 
-(! nix cat-store --store file://$cacheDir $outPath/foobar)
+(! nix store cat --store file://$cacheDir $outPath/foobar)
 
 
 # Test NAR listing generation.
@@ -239,3 +239,34 @@ nix copy --to "file://$cacheDir?index-debug-info=1&compression=none" $outPath
 diff -u \
     <(cat $cacheDir/debuginfo/02623eda209c26a59b1a8638ff7752f6b945c26b.debug | jq -S) \
     <(echo '{"archive":"../nar/100vxs724qr46phz8m24iswmg9p3785hsyagz0kchf6q6gf06sw6.nar","member":"lib/debug/.build-id/02/623eda209c26a59b1a8638ff7752f6b945c26b.debug"}' | jq -S)
+
+# Test against issue https://github.com/NixOS/nix/issues/3964
+#
+expr='
+  with import ./config.nix;
+  mkDerivation {
+    name = "multi-output";
+    buildCommand = "mkdir -p $out; echo foo > $doc; echo $doc > $out/docref";
+    outputs = ["out" "doc"];
+  }
+'
+outPath=$(nix-build --no-out-link -E "$expr")
+docPath=$(nix-store -q --references $outPath)
+
+# $ nix-store -q --tree $outPath
+# ...-multi-output
+# +---...-multi-output-doc
+
+nix copy --to "file://$cacheDir" $outPath
+
+hashpart() {
+  basename "$1" | cut -c1-32
+}
+
+# break the closure of out by removing doc
+rm $cacheDir/$(hashpart $docPath).narinfo
+
+nix-store --delete $outPath $docPath
+# -vvv is the level that logs during the loop
+timeout 60 nix-build --no-out-link -E "$expr" --option substituters "file://$cacheDir" \
+  --option trusted-binary-caches "file://$cacheDir"  --no-require-sigs

tests/brotli.sh

@@ -9,13 +9,13 @@ outPath=$(nix-build dependencies.nix --no-out-link)
 
 nix copy --to $cacheURI $outPath
 
-HASH=$(nix hash-path $outPath)
+HASH=$(nix hash path $outPath)
 
 clearStore
 clearCacheCache
 
 nix copy --from $cacheURI $outPath --no-check-sigs
 
-HASH2=$(nix hash-path $outPath)
+HASH2=$(nix hash path $outPath)
 
 [[ $HASH = $HASH2 ]]

tests/build-remote-input-addressed.sh

@@ -3,3 +3,31 @@ source common.sh
 file=build-hook.nix
 
 source build-remote.sh
+
+# Add a `post-build-hook` option to the nix conf.
+# This hook will be executed both for the local machine and the remote builders
+# (because they share the same config).
+registerBuildHook () {
+    # Dummy post-build-hook just to ensure that it's executed correctly.
+    # (we can't reuse the one from `$PWD/push-to-store.sh` because of
+    # https://github.com/NixOS/nix/issues/4341)
+    cat <<EOF > $TEST_ROOT/post-build-hook.sh
+#!/bin/sh
+
+echo "Post hook ran successfully"
+# Add an empty line to a counter file, just to check that this hook ran properly
+echo "" >> $TEST_ROOT/post-hook-counter
+EOF
+    chmod +x $TEST_ROOT/post-build-hook.sh
+    rm -f $TEST_ROOT/post-hook-counter
+
+    echo "post-build-hook = $TEST_ROOT/post-build-hook.sh" >> $NIX_CONF_DIR/nix.conf
+}
+
+registerBuildHook
+source build-remote.sh
+
+# `build-hook.nix` has four derivations to build, and the hook runs twice for
+# each derivation (once on the builder and once on the host), so the counter
+# should contain eight lines now
+[[ $(cat $TEST_ROOT/post-hook-counter | wc -l) -eq 8 ]]

tests/build-remote.sh

@@ -14,6 +14,9 @@ builders=(
   "ssh-ng://localhost?remote-store=$TEST_ROOT/machine3?system-features=baz - - 1 1 baz"
 )
 
+chmod -R +w $TEST_ROOT/machine* || true
+rm -rf $TEST_ROOT/machine* || true
+
 # Note: ssh://localhost bypasses ssh, directly invoking nix-store as a
 # child process. This allows us to test LegacySSHStore::buildDerivation().
 # ssh-ng://... likewise allows us to test RemoteStore::buildDerivation().

tests/build.sh

@@ -0,0 +1,12 @@
+source common.sh
+
+expectedJSONRegex='\[\{"drvPath":".*multiple-outputs-a.drv","outputs":\{"first":".*multiple-outputs-a-first","second":".*multiple-outputs-a-second"}},\{"drvPath":".*multiple-outputs-b.drv","outputs":\{"out":".*multiple-outputs-b"}}]'
+nix build -f multiple-outputs.nix --json a.all b.all | jq --exit-status '
+  (.[0] |
+    (.drvPath | match(".*multiple-outputs-a.drv")) and
+    (.outputs.first | match(".*multiple-outputs-a-first")) and
+    (.outputs.second | match(".*multiple-outputs-a-second")))
+  and (.[1] |
+    (.drvPath | match(".*multiple-outputs-b.drv")) and
+    (.outputs.out | match(".*multiple-outputs-b")))
+'

tests/config.sh

@@ -16,3 +16,12 @@ here=$(readlink -f "$(dirname "${BASH_SOURCE[0]}")")
 export NIX_USER_CONF_FILES=$here/config/nix-with-substituters.conf
 var=$(nix show-config | grep '^substituters =' | cut -d '=' -f 2 | xargs)
 [[ $var == https://example.com ]]
+
+# Test that it's possible to load config from the environment
+prev=$(nix show-config | grep '^cores' | cut -d '=' -f 2 | xargs)
+export NIX_CONFIG="cores = 4242"$'\n'"experimental-features = nix-command flakes"
+exp_cores=$(nix show-config | grep '^cores' | cut -d '=' -f 2 | xargs)
+exp_features=$(nix show-config | grep '^experimental-features' | cut -d '=' -f 2 | xargs)
+[[ $prev != $exp_cores ]]
+[[ $exp_cores == "4242" ]]
+[[ $exp_features == "nix-command flakes" ]]

tests/content-addressed.nix

@@ -15,15 +15,17 @@ rec {
     '';
   };
   rootCA = mkDerivation {
-    name = "dependent";
-    outputs = [ "out" "dev" ];
+    name = "rootCA";
+    outputs = [ "out" "dev" "foo"];
     buildCommand = ''
       echo "building a CA derivation"
       echo "The seed is ${toString seed}"
       mkdir -p $out
       echo ${rootLegacy}/hello > $out/dep
-      # test symlink at root
+      ln -s $out $out/self
+      # test symlinks at root
       ln -s $out $dev
+      ln -s $out $foo
     '';
     __contentAddressed = true;
     outputHashMode = "recursive";
@@ -34,7 +36,8 @@ rec {
     buildCommand = ''
       echo "building a dependent derivation"
       mkdir -p $out
-      echo ${rootCA}/hello > $out/dep
+      cat ${rootCA}/self/dep
+      echo ${rootCA}/self/dep > $out/dep
     '';
     __contentAddressed = true;
     outputHashMode = "recursive";
@@ -51,4 +54,24 @@ rec {
     outputHashMode = "recursive";
     outputHashAlgo = "sha256";
   };
+  dependentNonCA = mkDerivation {
+    name = "dependent-non-ca";
+    buildCommand = ''
+      echo "Didn't cut-off"
+      echo "building dependent-non-ca"
+      mkdir -p $out
+      echo ${rootCA}/non-ca-hello > $out/dep
+    '';
+  };
+  dependentFixedOutput = mkDerivation {
+    name = "dependent-fixed-output";
+    outputHashMode = "recursive";
+    outputHashAlgo = "sha256";
+    outputHash = "sha256-QvtAMbUl/uvi+LCObmqOhvNOapHdA2raiI4xG5zI5pA=";
+    buildCommand = ''
+      cat ${dependentCA}/dep
+      echo foo > $out
+    '';
+
+  };
 }

tests/content-addressed.sh

@@ -5,23 +5,59 @@ source common.sh
 drv=$(nix-instantiate --experimental-features ca-derivations ./content-addressed.nix -A rootCA --arg seed 1)
 nix --experimental-features 'nix-command ca-derivations' show-derivation --derivation "$drv" --arg seed 1
 
-testDerivation () {
+buildAttr () {
     local derivationPath=$1
-    local commonArgs=("--experimental-features" "ca-derivations" "./content-addressed.nix" "-A" "$derivationPath" "--no-out-link")
+    local seedValue=$2
+    shift; shift
+    local args=("--experimental-features" "ca-derivations" "./content-addressed.nix" "-A" "$derivationPath" --arg seed "$seedValue" "--no-out-link")
+    args+=("$@")
+    nix-build "${args[@]}"
+}
+
+testRemoteCache () {
+    clearCache
+    local outPath=$(buildAttr dependentNonCA 1)
+    nix copy --to file://$cacheDir $outPath
+    clearStore
+    buildAttr dependentNonCA 1 --option substituters file://$cacheDir --no-require-sigs |& (! grep "building dependent-non-ca")
+}
+
+testDeterministicCA () {
+    [[ $(buildAttr rootCA 1) = $(buildAttr rootCA 2) ]]
+}
+
+testCutoffFor () {
     local out1 out2
-    out1=$(nix-build "${commonArgs[@]}" --arg seed 1)
-    out2=$(nix-build "${commonArgs[@]}" --arg seed 2 "${secondSeedArgs[@]}")
+    out1=$(buildAttr $1 1)
+    # The seed only changes the root derivation, and not it's output, so the
+    # dependent derivations should only need to be built once.
+    buildAttr rootCA 2
+    out2=$(buildAttr $1 2 -j0)
     test "$out1" == "$out2"
 }
 
-testDerivation rootCA
-# The seed only changes the root derivation, and not it's output, so the
-# dependent derivations should only need to be built once.
-secondSeedArgs=(-j0)
-# Don't directly build depenentCA, that way we'll make sure we dodn't rely on
-# dependent derivations always being already built.
-#testDerivation dependentCA
-testDerivation transitivelyDependentCA
+testCutoff () {
+    # Don't directly build depenentCA, that way we'll make sure we dodn't rely on
+    # dependent derivations always being already built.
+    #testDerivation dependentCA
+    testCutoffFor transitivelyDependentCA
+    testCutoffFor dependentNonCA
+    testCutoffFor dependentFixedOutput
+}
 
-nix-instantiate --experimental-features ca-derivations ./content-addressed.nix -A rootCA --arg seed 5
-nix-collect-garbage --experimental-features ca-derivations --option keep-derivations true
+testGC () {
+    nix-instantiate --experimental-features ca-derivations ./content-addressed.nix -A rootCA --arg seed 5
+    nix-collect-garbage --experimental-features ca-derivations --option keep-derivations true
+}
+
+testNixCommand () {
+    clearStore
+    nix build --experimental-features 'nix-command ca-derivations' --file ./content-addressed.nix --no-link
+}
+
+# Disabled until we have it properly working
+# testRemoteCache
+testDeterministicCA
+testCutoff
+testGC
+testNixCommand

tests/fetchGit.sh

@@ -59,6 +59,7 @@ path2=$(nix eval --impure --raw --expr "(builtins.fetchGit file://$repo).outPath
 
 [[ $(nix eval --impure --expr "(builtins.fetchGit file://$repo).revCount") = 2 ]]
 [[ $(nix eval --impure --raw --expr "(builtins.fetchGit file://$repo).rev") = $rev2 ]]
+[[ $(nix eval --impure --raw --expr "(builtins.fetchGit file://$repo).shortRev") = ${rev2:0:7} ]]
 
 # Fetching with a explicit hash should succeed.
 path2=$(nix eval --refresh --raw --expr "(builtins.fetchGit { url = file://$repo; rev = \"$rev2\"; }).outPath")
@@ -132,6 +133,7 @@ path2=$(nix eval --impure --raw --expr "(builtins.fetchGit file://$repo).outPath
 path3=$(nix eval --impure --raw --expr "(builtins.fetchGit $repo).outPath")
 # (check dirty-tree handling was used)
 [[ $(nix eval --impure --raw --expr "(builtins.fetchGit $repo).rev") = 0000000000000000000000000000000000000000 ]]
+[[ $(nix eval --impure --raw --expr "(builtins.fetchGit $repo).shortRev") = 0000000 ]]
 
 # Committing shouldn't change store path, or switch to using 'master'
 git -C $repo commit -m 'Bla5' -a

tests/fetchMercurial.sh

@@ -15,6 +15,9 @@ hg init $repo
 echo '[ui]' >> $repo/.hg/hgrc
 echo 'username = Foobar <foobar@example.org>' >> $repo/.hg/hgrc
 
+# Set ui.tweakdefaults to ensure HGPLAIN is being set.
+echo 'tweakdefaults = True' >> $repo/.hg/hgrc
+
 echo utrecht > $repo/hello
 touch $repo/.hgignore
 hg add --cwd $repo hello .hgignore

tests/fetchurl.sh

@@ -12,7 +12,7 @@ cmp $outPath fetchurl.sh
 # Now using a base-64 hash.
 clearStore
 
-hash=$(nix hash-file --type sha512 --base64 ./fetchurl.sh)
+hash=$(nix hash file --type sha512 --base64 ./fetchurl.sh)
 
 outPath=$(nix-build '<nix/fetchurl.nix>' --argstr url file://$(pwd)/fetchurl.sh --argstr sha512 $hash --no-out-link)
 
@@ -21,7 +21,7 @@ cmp $outPath fetchurl.sh
 # Now using an SRI hash.
 clearStore
 
-hash=$(nix hash-file ./fetchurl.sh)
+hash=$(nix hash file ./fetchurl.sh)
 
 [[ $hash =~ ^sha256- ]]
 
@@ -34,14 +34,14 @@ clearStore
 
 other_store=file://$TEST_ROOT/other_store?store=/fnord/store
 
-hash=$(nix hash-file --type sha256 --base16 ./fetchurl.sh)
+hash=$(nix hash file --type sha256 --base16 ./fetchurl.sh)
 
-storePath=$(nix --store $other_store add-to-store --flat ./fetchurl.sh)
+storePath=$(nix --store $other_store store add-file ./fetchurl.sh)
 
 outPath=$(nix-build '<nix/fetchurl.nix>' --argstr url file:///no-such-dir/fetchurl.sh --argstr sha256 $hash --no-out-link --substituters $other_store)
 
 # Test hashed mirrors with an SRI hash.
-nix-build '<nix/fetchurl.nix>' --argstr url file:///no-such-dir/fetchurl.sh --argstr hash $(nix to-sri --type sha256 $hash) \
+nix-build '<nix/fetchurl.nix>' --argstr url file:///no-such-dir/fetchurl.sh --argstr hash $(nix hash to-sri --type sha256 $hash) \
           --no-out-link --substituters $other_store
 
 # Test unpacking a NAR.

tests/gc-auto.sh

@@ -2,9 +2,9 @@ source common.sh
 
 clearStore
 
-garbage1=$(nix add-to-store --name garbage1 ./nar-access.sh)
-garbage2=$(nix add-to-store --name garbage2 ./nar-access.sh)
-garbage3=$(nix add-to-store --name garbage3 ./nar-access.sh)
+garbage1=$(nix store add-path --name garbage1 ./nar-access.sh)
+garbage2=$(nix store add-path --name garbage2 ./nar-access.sh)
+garbage3=$(nix store add-path --name garbage3 ./nar-access.sh)
 
 ls -l $garbage3
 POSIXLY_CORRECT=1 du $garbage3

tests/github-flakes.nix

@@ -1,6 +1,6 @@
 { nixpkgs, system, overlay }:
 
-with import (nixpkgs + "/nixos/lib/testing.nix") {
+with import (nixpkgs + "/nixos/lib/testing-python.nix") {
   inherit system;
   extraConfigurations = [ { nixpkgs.overlays = [ overlay ]; } ];
 };
@@ -64,6 +64,7 @@ in
 makeTest (
 
 {
+  name = "github-flakes";
 
   nodes =
     { # Impersonate github.com and api.github.com.
@@ -113,36 +114,37 @@ makeTest (
         };
     };
 
-  testScript = { nodes }:
-    ''
-      use POSIX qw(strftime);
+  testScript = { nodes }: ''
+    # fmt: off
+    import json
+    import time
 
-      startAll;
+    start_all()
 
-      $github->waitForUnit("httpd.service");
+    github.wait_for_unit("httpd.service")
 
-      $client->succeed("curl -v https://github.com/ >&2");
+    client.succeed("curl -v https://github.com/ >&2")
+    client.succeed("nix registry list | grep nixpkgs")
 
-      $client->succeed("nix registry list | grep nixpkgs");
+    rev = client.succeed("nix flake info nixpkgs --json | jq -r .revision")
+    assert rev.strip() == "${nixpkgs.rev}", "revision mismatch"
 
-      $client->succeed("nix flake info nixpkgs --json | jq -r .revision") eq "${nixpkgs.rev}\n"
-        or die "revision mismatch";
+    client.succeed("nix registry pin nixpkgs")
 
-      $client->succeed("nix registry pin nixpkgs");
+    client.succeed("nix flake info nixpkgs --tarball-ttl 0 >&2")
 
-      $client->succeed("nix flake info nixpkgs --tarball-ttl 0 >&2");
+    # Shut down the web server. The flake should be cached on the client.
+    github.succeed("systemctl stop httpd.service")
 
-      # Shut down the web server. The flake should be cached on the client.
-      $github->succeed("systemctl stop httpd.service");
+    info = json.loads(client.succeed("nix flake info nixpkgs --json"))
+    date = time.strftime("%Y%m%d%H%M%S", time.gmtime(info['lastModified']))
+    assert date == "${nixpkgs.lastModifiedDate}", "time mismatch"
 
-      my $date = $client->succeed("nix flake info nixpkgs --json | jq -M .lastModified");
-      strftime("%Y%m%d%H%M%S", gmtime($date)) eq "${nixpkgs.lastModifiedDate}" or die "time mismatch";
+    client.succeed("nix build nixpkgs#hello")
 
-      $client->succeed("nix build nixpkgs#hello");
-
-      # The build shouldn't fail even with --tarball-ttl 0 (the server
-      # being down should not be a fatal error).
-      $client->succeed("nix build nixpkgs#fuse --tarball-ttl 0");
-    '';
+    # The build shouldn't fail even with --tarball-ttl 0 (the server
+    # being down should not be a fatal error).
+    client.succeed("nix build nixpkgs#fuse --tarball-ttl 0")
+  '';
 
 })

tests/hash.sh

@@ -2,7 +2,7 @@ source common.sh
 
 try () {
     printf "%s" "$2" > $TEST_ROOT/vector
-    hash=$(nix hash-file --base16 $EXTRA --type "$1" $TEST_ROOT/vector)
+    hash=$(nix hash file --base16 $EXTRA --type "$1" $TEST_ROOT/vector)
     if test "$hash" != "$3"; then
         echo "hash $1, expected $3, got $hash"
         exit 1
@@ -69,17 +69,17 @@ try2 md5 "f78b733a68f5edbdf9413899339eaa4a"
 
 # Conversion.
 try3() {
-    h64=$(nix to-base64 --type "$1" "$2")
+    h64=$(nix hash to-base64 --type "$1" "$2")
     [ "$h64" = "$4" ]
-    sri=$(nix to-sri --type "$1" "$2")
+    sri=$(nix hash to-sri --type "$1" "$2")
     [ "$sri" = "$1-$4" ]
     h32=$(nix-hash --type "$1" --to-base32 "$2")
     [ "$h32" = "$3" ]
     h16=$(nix-hash --type "$1" --to-base16 "$h32")
     [ "$h16" = "$2" ]
-    h16=$(nix to-base16 --type "$1" "$h64")
+    h16=$(nix hash to-base16 --type "$1" "$h64")
     [ "$h16" = "$2" ]
-    h16=$(nix to-base16 "$sri")
+    h16=$(nix hash to-base16 "$sri")
     [ "$h16" = "$2" ]
 }
 try3 sha1 "800d59cfcd3c05e900cb4e214be48f6b886a08df" "vw46m23bizj4n8afrc0fj19wrp7mj3c0" "gA1Zz808BekAy04hS+SPa4hqCN8="

tests/init.sh

@@ -19,6 +19,7 @@ keep-derivations = false
 sandbox = false
 experimental-features = nix-command flakes nix-testing
 gc-reserved-space = 0
+substituters =
 flake-registry = $TEST_ROOT/registry.json
 include nix.conf.extra
 EOF

tests/linux-sandbox.sh

@@ -22,9 +22,9 @@ outPath=$(nix-build dependencies.nix --no-out-link --sandbox-paths /nix/store)
 
 nix path-info -r $outPath | grep input-2
 
-nix ls-store -R -l $outPath | grep foobar
+nix store ls -R -l $outPath | grep foobar
 
-nix cat-store $outPath/foobar | grep FOOBAR
+nix store cat $outPath/foobar | grep FOOBAR
 
 # Test --check without hash rewriting.
 nix-build dependencies.nix --no-out-link --check --sandbox-paths /nix/store

tests/local.mk

@@ -38,7 +38,8 @@ nix_tests = \
   recursive.sh \
   describe-stores.sh \
   flakes.sh \
-  content-addressed.sh
+  content-addressed.sh \
+  build.sh
   # parallel.sh
   # build-remote-content-addressed-fixed.sh # problem with fixed output derivations
   # build-remote-trustless-should-pass-0.sh # problem with legacy ssh-store only

tests/nar-access.sh

@@ -9,45 +9,45 @@ cd "$TEST_ROOT"
 narFile="$TEST_ROOT/path.nar"
 nix-store --dump $storePath > $narFile
 
-# Check that find and ls-nar match.
+# Check that find and nar ls match.
 ( cd $storePath; find . | sort ) > files.find
-nix ls-nar -R -d $narFile "" | sort > files.ls-nar
+nix nar ls -R -d $narFile "" | sort > files.ls-nar
 diff -u files.find files.ls-nar
 
 # Check that file contents of data match.
-nix cat-nar $narFile /foo/data > data.cat-nar
+nix nar cat $narFile /foo/data > data.cat-nar
 diff -u data.cat-nar $storePath/foo/data
 
 # Check that file contents of baz match.
-nix cat-nar $narFile /foo/baz > baz.cat-nar
+nix nar cat $narFile /foo/baz > baz.cat-nar
 diff -u baz.cat-nar $storePath/foo/baz
 
-nix cat-store $storePath/foo/baz > baz.cat-nar
+nix store cat $storePath/foo/baz > baz.cat-nar
 diff -u baz.cat-nar $storePath/foo/baz
 
 # Test --json.
 diff -u \
-    <(nix ls-nar --json $narFile / | jq -S) \
+    <(nix nar ls --json $narFile / | jq -S) \
     <(echo '{"type":"directory","entries":{"foo":{},"foo-x":{},"qux":{},"zyx":{}}}' | jq -S)
 diff -u \
-    <(nix ls-nar --json -R $narFile /foo | jq -S) \
+    <(nix nar ls --json -R $narFile /foo | jq -S) \
     <(echo '{"type":"directory","entries":{"bar":{"type":"regular","size":0,"narOffset":368},"baz":{"type":"regular","size":0,"narOffset":552},"data":{"type":"regular","size":58,"narOffset":736}}}' | jq -S)
 diff -u \
-    <(nix ls-nar --json -R $narFile /foo/bar | jq -S) \
+    <(nix nar ls --json -R $narFile /foo/bar | jq -S) \
     <(echo '{"type":"regular","size":0,"narOffset":368}' | jq -S)
 diff -u \
-    <(nix ls-store --json $storePath | jq -S) \
+    <(nix store ls --json $storePath | jq -S) \
     <(echo '{"type":"directory","entries":{"foo":{},"foo-x":{},"qux":{},"zyx":{}}}' | jq -S)
 diff -u \
-    <(nix ls-store --json -R $storePath/foo | jq -S) \
+    <(nix store ls --json -R $storePath/foo | jq -S) \
     <(echo '{"type":"directory","entries":{"bar":{"type":"regular","size":0},"baz":{"type":"regular","size":0},"data":{"type":"regular","size":58}}}' | jq -S)
 diff -u \
-    <(nix ls-store --json -R $storePath/foo/bar| jq -S) \
+    <(nix store ls --json -R $storePath/foo/bar| jq -S) \
     <(echo '{"type":"regular","size":0}' | jq -S)
 
 # Test missing files.
-nix ls-store --json -R $storePath/xyzzy 2>&1 | grep 'does not exist in NAR'
-nix ls-store $storePath/xyzzy 2>&1 | grep 'does not exist'
+nix store ls --json -R $storePath/xyzzy 2>&1 | grep 'does not exist in NAR'
+nix store ls $storePath/xyzzy 2>&1 | grep 'does not exist'
 
 # Test failure to dump.
 if nix-store --dump $storePath >/dev/full ; then

tests/nix-build-examples.nix

@@ -0,0 +1,33 @@
+with import ./config.nix;
+
+rec {
+
+  input0 = mkDerivation {
+    name = "dependencies-input-0";
+    buildCommand = "mkdir $out; echo foo > $out/bar";
+  };
+
+  input1 = mkDerivation {
+    name = "dependencies-input-1";
+    buildCommand = "mkdir $out; echo FOO > $out/foo";
+  };
+
+  input2 = mkDerivation {
+    name = "dependencies-input-2";
+    buildCommand = ''
+      mkdir $out
+      echo BAR > $out/bar
+      echo ${input0} > $out/input0
+    '';
+  };
+
+  body = mkDerivation {
+    name = "dependencies-top";
+    builder = ./dependencies.builder0.sh + "/FOOBAR/../.";
+    input1 = input1 + "/.";
+    input2 = "${input2}/.";
+    input1_drv = input1;
+    meta.description = "Random test package";
+  };
+
+}

tests/nix-build.sh

@@ -26,3 +26,18 @@ outPath2=$(nix-build $(nix-instantiate dependencies.nix)!out --no-out-link)
 
 outPath2=$(nix-store -r $(nix-instantiate --add-root $TEST_ROOT/indirect dependencies.nix)!out)
 [[ $outPath = $outPath2 ]]
+
+# The order of the paths on stdout must correspond to the -A options
+# https://github.com/NixOS/nix/issues/4197
+
+input0="$(nix-build nix-build-examples.nix -A input0 --no-out-link)"
+input1="$(nix-build nix-build-examples.nix -A input1 --no-out-link)"
+input2="$(nix-build nix-build-examples.nix -A input2 --no-out-link)"
+body="$(nix-build nix-build-examples.nix -A body --no-out-link)"
+
+outPathsA="$(echo $(nix-build nix-build-examples.nix -A input0 -A input1 -A input2 -A body --no-out-link))"
+[[ "$outPathsA" = "$input0 $input1 $input2 $body" ]]
+
+# test a different ordering to make sure it fails, not just in 23 out of 24 permutations
+outPathsB="$(echo $(nix-build nix-build-examples.nix -A body -A input1 -A input2 -A input0 --no-out-link))"
+[[ "$outPathsB" = "$body $input1 $input2 $input0" ]]

tests/nix-copy-closure.nix

@@ -2,18 +2,19 @@
 
 { nixpkgs, system, overlay }:
 
-with import (nixpkgs + "/nixos/lib/testing.nix") {
+with import (nixpkgs + "/nixos/lib/testing-python.nix") {
   inherit system;
   extraConfigurations = [ { nixpkgs.overlays = [ overlay ]; } ];
 };
 
-makeTest (let pkgA = pkgs.cowsay; pkgB = pkgs.wget; pkgC = pkgs.hello; in {
+makeTest (let pkgA = pkgs.cowsay; pkgB = pkgs.wget; pkgC = pkgs.hello; pkgD = pkgs.tmux; in {
+  name = "nix-copy-closure";
 
   nodes =
     { client =
         { config, lib, pkgs, ... }:
         { virtualisation.writableStore = true;
-          virtualisation.pathsInNixDB = [ pkgA ];
+          virtualisation.pathsInNixDB = [ pkgA pkgD.drvPath ];
           nix.binaryCaches = lib.mkForce [ ];
         };
 
@@ -25,41 +26,52 @@ makeTest (let pkgA = pkgs.cowsay; pkgB = pkgs.wget; pkgC = pkgs.hello; in {
         };
     };
 
-  testScript = { nodes }:
-    ''
-      startAll;
+  testScript = { nodes }: ''
+    # fmt: off
+    import subprocess
 
-      # Create an SSH key on the client.
-      my $key = `${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f key -N ""`;
-      $client->succeed("mkdir -m 700 /root/.ssh");
-      $client->copyFileFromHost("key", "/root/.ssh/id_ed25519");
-      $client->succeed("chmod 600 /root/.ssh/id_ed25519");
+    start_all()
 
-      # Install the SSH key on the server.
-      $server->succeed("mkdir -m 700 /root/.ssh");
-      $server->copyFileFromHost("key.pub", "/root/.ssh/authorized_keys");
-      $server->waitForUnit("sshd");
-      $client->waitForUnit("network.target");
-      $client->succeed("ssh -o StrictHostKeyChecking=no " . $server->name() . " 'echo hello world'");
+    # Create an SSH key on the client.
+    subprocess.run([
+      "${pkgs.openssh}/bin/ssh-keygen", "-t", "ed25519", "-f", "key", "-N", ""
+    ], capture_output=True, check=True)
 
-      # Copy the closure of package A from the client to the server.
-      $server->fail("nix-store --check-validity ${pkgA}");
-      $client->succeed("nix-copy-closure --to server --gzip ${pkgA} >&2");
-      $server->succeed("nix-store --check-validity ${pkgA}");
+    client.succeed("mkdir -m 700 /root/.ssh")
+    client.copy_from_host("key", "/root/.ssh/id_ed25519")
+    client.succeed("chmod 600 /root/.ssh/id_ed25519")
 
-      # Copy the closure of package B from the server to the client.
-      $client->fail("nix-store --check-validity ${pkgB}");
-      $client->succeed("nix-copy-closure --from server --gzip ${pkgB} >&2");
-      $client->succeed("nix-store --check-validity ${pkgB}");
+    # Install the SSH key on the server.
+    server.succeed("mkdir -m 700 /root/.ssh")
+    server.copy_from_host("key.pub", "/root/.ssh/authorized_keys")
+    server.wait_for_unit("sshd")
+    client.wait_for_unit("network.target")
+    client.succeed(f"ssh -o StrictHostKeyChecking=no {server.name} 'echo hello world'")
 
-      # Copy the closure of package C via the SSH substituter.
-      $client->fail("nix-store -r ${pkgC}");
-      # FIXME
-      #$client->succeed(
-      #  "nix-store --option use-ssh-substituter true"
-      #  . " --option ssh-substituter-hosts root\@server"
-      #  . " -r ${pkgC} >&2");
-      #$client->succeed("nix-store --check-validity ${pkgC}");
-    '';
+    # Copy the closure of package A from the client to the server.
+    server.fail("nix-store --check-validity ${pkgA}")
+    client.succeed("nix-copy-closure --to server --gzip ${pkgA} >&2")
+    server.succeed("nix-store --check-validity ${pkgA}")
 
+    # Copy the closure of package B from the server to the client.
+    client.fail("nix-store --check-validity ${pkgB}")
+    client.succeed("nix-copy-closure --from server --gzip ${pkgB} >&2")
+    client.succeed("nix-store --check-validity ${pkgB}")
+
+    # Copy the closure of package C via the SSH substituter.
+    client.fail("nix-store -r ${pkgC}")
+
+    # Copy the derivation of package D's derivation from the client to the server.
+    server.fail("nix-store --check-validity ${pkgD.drvPath}")
+    client.succeed("nix-copy-closure --to server --gzip ${pkgD.drvPath} >&2")
+    server.succeed("nix-store --check-validity ${pkgD.drvPath}")
+
+    # FIXME
+    # client.succeed(
+    #   "nix-store --option use-ssh-substituter true"
+    #   " --option ssh-substituter-hosts root\@server"
+    #   " -r ${pkgC} >&2"
+    # )
+    # client.succeed("nix-store --check-validity ${pkgC}")
+  '';
 })

tests/nix-shell.sh

@@ -59,6 +59,12 @@ output=$($TEST_ROOT/shell.shebang.rb abc ruby)
 # Test 'nix develop'.
 nix develop -f shell.nix shellDrv -c bash -c '[[ -n $stdenv ]]'
 
+# Ensure `nix develop -c` preserves stdin
+echo foo | nix develop -f shell.nix shellDrv -c cat | grep -q foo
+
+# Ensure `nix develop -c` actually executes the command if stdout isn't a terminal
+nix develop -f shell.nix shellDrv -c echo foo |& grep -q foo
+
 # Test 'nix print-dev-env'.
 source <(nix print-dev-env -f shell.nix shellDrv)
 [[ -n $stdenv ]]

tests/pure-eval.sh

@@ -15,4 +15,12 @@ nix eval --expr 'assert 1 + 2 == 3; true'
 
 [[ $(nix eval --impure --expr "(import (builtins.fetchurl { url = file://$(pwd)/pure-eval.nix; })).x") == 123 ]]
 (! nix eval --expr "(import (builtins.fetchurl { url = file://$(pwd)/pure-eval.nix; })).x")
-nix eval --expr "(import (builtins.fetchurl { url = file://$(pwd)/pure-eval.nix; sha256 = \"$(nix hash-file pure-eval.nix --type sha256)\"; })).x"
+nix eval --expr "(import (builtins.fetchurl { url = file://$(pwd)/pure-eval.nix; sha256 = \"$(nix hash file pure-eval.nix --type sha256)\"; })).x"
+
+rm -rf $TEST_ROOT/eval-out
+nix eval --store dummy:// --write-to $TEST_ROOT/eval-out --expr '{ x = "foo" + "bar"; y = { z = "bla"; }; }'
+[[ $(cat $TEST_ROOT/eval-out/x) = foobar ]]
+[[ $(cat $TEST_ROOT/eval-out/y/z) = bla ]]
+
+rm -rf $TEST_ROOT/eval-out
+(! nix eval --store dummy:// --write-to $TEST_ROOT/eval-out --expr '{ "." = "bla"; }')

tests/recursive.sh

@@ -7,7 +7,7 @@ clearStore
 
 rm -f $TEST_ROOT/result
 
-export unreachable=$(nix add-to-store ./recursive.sh)
+export unreachable=$(nix store add-path ./recursive.sh)
 
 NIX_BIN_DIR=$(dirname $(type -p nix)) nix --experimental-features 'nix-command recursive-nix' build -o $TEST_ROOT/result -L --impure --expr '
   with import ./config.nix;
@@ -38,7 +38,7 @@ NIX_BIN_DIR=$(dirname $(type -p nix)) nix --experimental-features 'nix-command r
 
       # Add something to the store.
       echo foobar > foobar
-      foobar=$(nix $opts add-to-store ./foobar)
+      foobar=$(nix $opts store add-path ./foobar)
 
       nix $opts path-info $foobar
       nix $opts build $foobar

tests/remote-builds.nix

@@ -2,7 +2,7 @@
 
 { nixpkgs, system, overlay }:
 
-with import (nixpkgs + "/nixos/lib/testing.nix") {
+with import (nixpkgs + "/nixos/lib/testing-python.nix") {
   inherit system;
   extraConfigurations = [ { nixpkgs.overlays = [ overlay ]; } ];
 };
@@ -36,6 +36,7 @@ let
 in
 
 {
+  name = "remote-builds";
 
   nodes =
     { builder1 = builder;
@@ -66,44 +67,46 @@ in
         };
     };
 
-  testScript = { nodes }:
-    ''
-      startAll;
+  testScript = { nodes }: ''
+    # fmt: off
+    import subprocess
 
-      # Create an SSH key on the client.
-      my $key = `${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f key -N ""`;
-      $client->succeed("mkdir -p -m 700 /root/.ssh");
-      $client->copyFileFromHost("key", "/root/.ssh/id_ed25519");
-      $client->succeed("chmod 600 /root/.ssh/id_ed25519");
+    start_all()
 
-      # Install the SSH key on the builders.
-      $client->waitForUnit("network.target");
-      foreach my $builder ($builder1, $builder2) {
-          $builder->succeed("mkdir -p -m 700 /root/.ssh");
-          $builder->copyFileFromHost("key.pub", "/root/.ssh/authorized_keys");
-          $builder->waitForUnit("sshd");
-          $client->succeed("ssh -o StrictHostKeyChecking=no " . $builder->name() . " 'echo hello world'");
-      }
+    # Create an SSH key on the client.
+    subprocess.run([
+      "${pkgs.openssh}/bin/ssh-keygen", "-t", "ed25519", "-f", "key", "-N", ""
+    ], capture_output=True, check=True)
+    client.succeed("mkdir -p -m 700 /root/.ssh")
+    client.copy_from_host("key", "/root/.ssh/id_ed25519")
+    client.succeed("chmod 600 /root/.ssh/id_ed25519")
 
-      # Perform a build and check that it was performed on the builder.
-      my $out = $client->succeed(
-        "nix-build ${expr nodes.client.config 1} 2> build-output",
-        "grep -q Hello build-output"
-      );
-      $builder1->succeed("test -e $out");
+    # Install the SSH key on the builders.
+    client.wait_for_unit("network.target")
+    for builder in [builder1, builder2]:
+      builder.succeed("mkdir -p -m 700 /root/.ssh")
+      builder.copy_from_host("key.pub", "/root/.ssh/authorized_keys")
+      builder.wait_for_unit("sshd")
+      client.succeed(f"ssh -o StrictHostKeyChecking=no {builder.name} 'echo hello world'")
 
-      # And a parallel build.
-      my ($out1, $out2) = split /\s/,
-          $client->succeed('nix-store -r $(nix-instantiate ${expr nodes.client.config 2})\!out $(nix-instantiate ${expr nodes.client.config 3})\!out');
-      $builder1->succeed("test -e $out1 -o -e $out2");
-      $builder2->succeed("test -e $out1 -o -e $out2");
+    # Perform a build and check that it was performed on the builder.
+    out = client.succeed(
+      "nix-build ${expr nodes.client.config 1} 2> build-output",
+      "grep -q Hello build-output"
+    )
+    builder1.succeed(f"test -e {out}")
 
-      # And a failing build.
-      $client->fail("nix-build ${expr nodes.client.config 5}");
+    # And a parallel build.
+    paths = client.succeed(r'nix-store -r $(nix-instantiate ${expr nodes.client.config 2})\!out $(nix-instantiate ${expr nodes.client.config 3})\!out')
+    out1, out2 = paths.split()
+    builder1.succeed(f"test -e {out1} -o -e {out2}")
+    builder2.succeed(f"test -e {out1} -o -e {out2}")
 
-      # Test whether the build hook automatically skips unavailable builders.
-      $builder1->block;
-      $client->succeed("nix-build ${expr nodes.client.config 4}");
-    '';
+    # And a failing build.
+    client.fail("nix-build ${expr nodes.client.config 5}")
 
+    # Test whether the build hook automatically skips unavailable builders.
+    builder1.block()
+    client.succeed("nix-build ${expr nodes.client.config 4}")
+  '';
 })

tests/remote-store.sh

@@ -7,6 +7,20 @@ nix --store ssh-ng://localhost?remote-store=$TEST_ROOT/other-store doctor
 
 startDaemon
 
+# Test import-from-derivation through the daemon.
+[[ $(nix eval --impure --raw --expr '
+  with import ./config.nix;
+  import (
+    mkDerivation {
+      name = "foo";
+      bla = import ./dependencies.nix;
+      buildCommand = "
+        echo \\\"hi\\\" > $out
+      ";
+    }
+  )
+') = hi ]]
+
 storeCleared=1 NIX_REMOTE_=$NIX_REMOTE $SHELL ./user-envs.sh
 
 nix-store --dump-db > $TEST_ROOT/d1

tests/setuid.nix

@@ -2,12 +2,13 @@
 
 { nixpkgs, system, overlay }:
 
-with import (nixpkgs + "/nixos/lib/testing.nix") {
+with import (nixpkgs + "/nixos/lib/testing-python.nix") {
   inherit system;
   extraConfigurations = [ { nixpkgs.overlays = [ overlay ]; } ];
 };
 
 makeTest {
+  name = "setuid";
 
   machine =
     { config, lib, pkgs, ... }:
@@ -17,94 +18,109 @@ makeTest {
       virtualisation.pathsInNixDB = [ pkgs.stdenv pkgs.pkgsi686Linux.stdenv ];
     };
 
-  testScript = { nodes }:
-    ''
-      startAll;
+  testScript = { nodes }: ''
+    # fmt: off
+    start_all()
 
-      # Copying to /tmp should succeed.
-      $machine->succeed('nix-build --no-sandbox -E \'(with import <nixpkgs> {}; runCommand "foo" {} "
-        mkdir -p $out
-        cp ${pkgs.coreutils}/bin/id /tmp/id
-      ")\' ');
+    # Copying to /tmp should succeed.
+    machine.succeed(r"""
+    nix-build --no-sandbox -E '(with import <nixpkgs> {}; runCommand "foo" {} "
+      mkdir -p $out
+      cp ${pkgs.coreutils}/bin/id /tmp/id
+    ")'
+    """.strip())
 
-      $machine->succeed('[[ $(stat -c %a /tmp/id) = 555 ]]');
+    machine.succeed('[[ $(stat -c %a /tmp/id) = 555 ]]')
 
-      $machine->succeed("rm /tmp/id");
+    machine.succeed("rm /tmp/id")
 
-      # Creating a setuid binary should fail.
-      $machine->fail('nix-build --no-sandbox -E \'(with import <nixpkgs> {}; runCommand "foo" {} "
-        mkdir -p $out
-        cp ${pkgs.coreutils}/bin/id /tmp/id
-        chmod 4755 /tmp/id
-      ")\' ');
+    # Creating a setuid binary should fail.
+    machine.fail(r"""
+    nix-build --no-sandbox -E '(with import <nixpkgs> {}; runCommand "foo" {} "
+      mkdir -p $out
+      cp ${pkgs.coreutils}/bin/id /tmp/id
+      chmod 4755 /tmp/id
+    ")'
+    """.strip())
 
-      $machine->succeed('[[ $(stat -c %a /tmp/id) = 555 ]]');
+    machine.succeed('[[ $(stat -c %a /tmp/id) = 555 ]]')
 
-      $machine->succeed("rm /tmp/id");
+    machine.succeed("rm /tmp/id")
 
-      # Creating a setgid binary should fail.
-      $machine->fail('nix-build --no-sandbox -E \'(with import <nixpkgs> {}; runCommand "foo" {} "
-        mkdir -p $out
-        cp ${pkgs.coreutils}/bin/id /tmp/id
-        chmod 2755 /tmp/id
-      ")\' ');
+    # Creating a setgid binary should fail.
+    machine.fail(r"""
+    nix-build --no-sandbox -E '(with import <nixpkgs> {}; runCommand "foo" {} "
+      mkdir -p $out
+      cp ${pkgs.coreutils}/bin/id /tmp/id
+      chmod 2755 /tmp/id
+    ")'
+    """.strip())
 
-      $machine->succeed('[[ $(stat -c %a /tmp/id) = 555 ]]');
+    machine.succeed('[[ $(stat -c %a /tmp/id) = 555 ]]')
 
-      $machine->succeed("rm /tmp/id");
+    machine.succeed("rm /tmp/id")
 
-      # The checks should also work on 32-bit binaries.
-      $machine->fail('nix-build --no-sandbox -E \'(with import <nixpkgs> { system = "i686-linux"; }; runCommand "foo" {} "
-        mkdir -p $out
-        cp ${pkgs.coreutils}/bin/id /tmp/id
-        chmod 2755 /tmp/id
-      ")\' ');
+    # The checks should also work on 32-bit binaries.
+    machine.fail(r"""
+    nix-build --no-sandbox -E '(with import <nixpkgs> { system = "i686-linux"; }; runCommand "foo" {} "
+      mkdir -p $out
+      cp ${pkgs.coreutils}/bin/id /tmp/id
+      chmod 2755 /tmp/id
+    ")'
+    """.strip())
 
-      $machine->succeed('[[ $(stat -c %a /tmp/id) = 555 ]]');
+    machine.succeed('[[ $(stat -c %a /tmp/id) = 555 ]]')
 
-      $machine->succeed("rm /tmp/id");
+    machine.succeed("rm /tmp/id")
 
-      # The tests above use fchmodat(). Test chmod() as well.
-      $machine->succeed('nix-build --no-sandbox -E \'(with import <nixpkgs> {}; runCommand "foo" { buildInputs = [ perl ]; } "
-        mkdir -p $out
-        cp ${pkgs.coreutils}/bin/id /tmp/id
-        perl -e \"chmod 0666, qw(/tmp/id) or die\"
-      ")\' ');
+    # The tests above use fchmodat(). Test chmod() as well.
+    machine.succeed(r"""
+    nix-build --no-sandbox -E '(with import <nixpkgs> {}; runCommand "foo" { buildInputs = [ perl ]; } "
+      mkdir -p $out
+      cp ${pkgs.coreutils}/bin/id /tmp/id
+      perl -e \"chmod 0666, qw(/tmp/id) or die\"
+    ")'
+    """.strip())
 
-      $machine->succeed('[[ $(stat -c %a /tmp/id) = 666 ]]');
+    machine.succeed('[[ $(stat -c %a /tmp/id) = 666 ]]')
 
-      $machine->succeed("rm /tmp/id");
+    machine.succeed("rm /tmp/id")
 
-      $machine->fail('nix-build --no-sandbox -E \'(with import <nixpkgs> {}; runCommand "foo" { buildInputs = [ perl ]; } "
-        mkdir -p $out
-        cp ${pkgs.coreutils}/bin/id /tmp/id
-        perl -e \"chmod 04755, qw(/tmp/id) or die\"
-      ")\' ');
+    machine.fail(r"""
+    nix-build --no-sandbox -E '(with import <nixpkgs> {}; runCommand "foo" { buildInputs = [ perl ]; } "
+      mkdir -p $out
+      cp ${pkgs.coreutils}/bin/id /tmp/id
+      perl -e \"chmod 04755, qw(/tmp/id) or die\"
+    ")'
+    """.strip())
 
-      $machine->succeed('[[ $(stat -c %a /tmp/id) = 555 ]]');
+    machine.succeed('[[ $(stat -c %a /tmp/id) = 555 ]]')
 
-      $machine->succeed("rm /tmp/id");
+    machine.succeed("rm /tmp/id")
 
-      # And test fchmod().
-      $machine->succeed('nix-build --no-sandbox -E \'(with import <nixpkgs> {}; runCommand "foo" { buildInputs = [ perl ]; } "
-        mkdir -p $out
-        cp ${pkgs.coreutils}/bin/id /tmp/id
-        perl -e \"my \\\$x; open \\\$x, qw(/tmp/id); chmod 01750, \\\$x or die\"
-      ")\' ');
+    # And test fchmod().
+    machine.succeed(r"""
+    nix-build --no-sandbox -E '(with import <nixpkgs> {}; runCommand "foo" { buildInputs = [ perl ]; } "
+      mkdir -p $out
+      cp ${pkgs.coreutils}/bin/id /tmp/id
+      perl -e \"my \\\$x; open \\\$x, qw(/tmp/id); chmod 01750, \\\$x or die\"
+    ")'
+    """.strip())
 
-      $machine->succeed('[[ $(stat -c %a /tmp/id) = 1750 ]]');
+    machine.succeed('[[ $(stat -c %a /tmp/id) = 1750 ]]')
 
-      $machine->succeed("rm /tmp/id");
+    machine.succeed("rm /tmp/id")
 
-      $machine->fail('nix-build --no-sandbox -E \'(with import <nixpkgs> {}; runCommand "foo" { buildInputs = [ perl ]; } "
-        mkdir -p $out
-        cp ${pkgs.coreutils}/bin/id /tmp/id
-        perl -e \"my \\\$x; open \\\$x, qw(/tmp/id); chmod 04777, \\\$x or die\"
-      ")\' ');
+    machine.fail(r"""
+    nix-build --no-sandbox -E '(with import <nixpkgs> {}; runCommand "foo" { buildInputs = [ perl ]; } "
+      mkdir -p $out
+      cp ${pkgs.coreutils}/bin/id /tmp/id
+      perl -e \"my \\\$x; open \\\$x, qw(/tmp/id); chmod 04777, \\\$x or die\"
+    ")'
+    """.strip())
 
-      $machine->succeed('[[ $(stat -c %a /tmp/id) = 555 ]]');
-
-      $machine->succeed("rm /tmp/id");
-    '';
+    machine.succeed('[[ $(stat -c %a /tmp/id) = 555 ]]')
 
+    machine.succeed("rm /tmp/id")
+  '';
 }

tests/signing.sh

@@ -17,40 +17,40 @@ info=$(nix path-info --json $outPath)
 [[ $info =~ 'cache1.example.org' ]]
 [[ $info =~ 'cache2.example.org' ]]
 
-# Test "nix verify".
-nix verify -r $outPath
+# Test "nix store verify".
+nix store verify -r $outPath
 
-expect 2 nix verify -r $outPath --sigs-needed 1
+expect 2 nix store verify -r $outPath --sigs-needed 1
 
-nix verify -r $outPath --sigs-needed 1 --trusted-public-keys $pk1
+nix store verify -r $outPath --sigs-needed 1 --trusted-public-keys $pk1
 
-expect 2 nix verify -r $outPath --sigs-needed 2 --trusted-public-keys $pk1
+expect 2 nix store verify -r $outPath --sigs-needed 2 --trusted-public-keys $pk1
 
-nix verify -r $outPath --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
+nix store verify -r $outPath --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
 
-nix verify --all --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
+nix store verify --all --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
 
 # Build something unsigned.
 outPath2=$(nix-build simple.nix --no-out-link)
 
-nix verify -r $outPath
+nix store verify -r $outPath
 
 # Verify that the path did not get signed but does have the ultimate bit.
 info=$(nix path-info --json $outPath2)
 [[ $info =~ '"ultimate":true' ]]
 (! [[ $info =~ 'signatures' ]])
 
-# Test "nix verify".
-nix verify -r $outPath2
+# Test "nix store verify".
+nix store verify -r $outPath2
 
-expect 2 nix verify -r $outPath2 --sigs-needed 1
+expect 2 nix store verify -r $outPath2 --sigs-needed 1
 
-expect 2 nix verify -r $outPath2 --sigs-needed 1 --trusted-public-keys $pk1
+expect 2 nix store verify -r $outPath2 --sigs-needed 1 --trusted-public-keys $pk1
 
-# Test "nix sign-paths".
-nix sign-paths --key-file $TEST_ROOT/sk1 $outPath2
+# Test "nix store sign-paths".
+nix store sign-paths --key-file $TEST_ROOT/sk1 $outPath2
 
-nix verify -r $outPath2 --sigs-needed 1 --trusted-public-keys $pk1
+nix store verify -r $outPath2 --sigs-needed 1 --trusted-public-keys $pk1
 
 # Build something content-addressed.
 outPathCA=$(IMPURE_VAR1=foo IMPURE_VAR2=bar nix-build ./fixed.nix -A good.0 --no-out-link)
@@ -59,12 +59,12 @@ outPathCA=$(IMPURE_VAR1=foo IMPURE_VAR2=bar nix-build ./fixed.nix -A good.0 --no
 
 # Content-addressed paths don't need signatures, so they verify
 # regardless of --sigs-needed.
-nix verify $outPathCA
-nix verify $outPathCA --sigs-needed 1000
+nix store verify $outPathCA
+nix store verify $outPathCA --sigs-needed 1000
 
 # Check that signing a content-addressed path doesn't overflow validSigs
-nix sign-paths --key-file $TEST_ROOT/sk1 $outPathCA
-nix verify -r $outPathCA --sigs-needed 1000 --trusted-public-keys $pk1
+nix store sign-paths --key-file $TEST_ROOT/sk1 $outPathCA
+nix store verify -r $outPathCA --sigs-needed 1000 --trusted-public-keys $pk1
 
 # Copy to a binary cache.
 nix copy --to file://$cacheDir $outPath2
@@ -76,7 +76,7 @@ info=$(nix path-info --store file://$cacheDir --json $outPath2)
 (! [[ $info =~ 'cache2.example.org' ]])
 
 # Verify that adding a signature to a path in a binary cache works.
-nix sign-paths --store file://$cacheDir --key-file $TEST_ROOT/sk2 $outPath2
+nix store sign-paths --store file://$cacheDir --key-file $TEST_ROOT/sk2 $outPath2
 info=$(nix path-info --store file://$cacheDir --json $outPath2)
 [[ $info =~ 'cache1.example.org' ]]
 [[ $info =~ 'cache2.example.org' ]]
@@ -89,17 +89,17 @@ rm -rf $TEST_ROOT/store0
 # But succeed if we supply the public keys.
 nix copy --to $TEST_ROOT/store0 $outPath --trusted-public-keys $pk1
 
-expect 2 nix verify --store $TEST_ROOT/store0 -r $outPath
+expect 2 nix store verify --store $TEST_ROOT/store0 -r $outPath
 
-nix verify --store $TEST_ROOT/store0 -r $outPath --trusted-public-keys $pk1
-nix verify --store $TEST_ROOT/store0 -r $outPath --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
+nix store verify --store $TEST_ROOT/store0 -r $outPath --trusted-public-keys $pk1
+nix store verify --store $TEST_ROOT/store0 -r $outPath --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
 
 # It should also succeed if we disable signature checking.
 (! nix copy --to $TEST_ROOT/store0 $outPath2)
 nix copy --to $TEST_ROOT/store0?require-sigs=false $outPath2
 
 # But signatures should still get copied.
-nix verify --store $TEST_ROOT/store0 -r $outPath2 --trusted-public-keys $pk1
+nix store verify --store $TEST_ROOT/store0 -r $outPath2 --trusted-public-keys $pk1
 
 # Content-addressed stuff can be copied without signatures.
 nix copy --to $TEST_ROOT/store0 $outPathCA

tests/ssh-relay.sh

@@ -11,6 +11,6 @@ store+=$remote_store
 store+=$remote_store
 store+=$remote_store
 
-out=$(nix add-to-store --store "$store" $TEST_ROOT/hello.sh)
+out=$(nix store add-path --store "$store" $TEST_ROOT/hello.sh)
 
 [ foo = $(< $out) ]

tests/tarball.sh

@@ -10,7 +10,7 @@ mkdir -p $tarroot
 cp dependencies.nix $tarroot/default.nix
 cp config.nix dependencies.builder*.sh $tarroot/
 
-hash=$(nix hash-path $tarroot)
+hash=$(nix hash path $tarroot)
 
 test_tarball() {
     local ext="$1"