Trustless remote building

Co-authored-by: Matthew Bauer <mjbauer95@gmail.com>
2025-07-07 22:33:57 +02:00 · 2020-08-12 03:47:36 +00:00 · 2020-08-12 03:47:36 +00:00 · cbc4344297
commit cbc4344297
parent 53f92c779a
15 changed files with 181 additions and 12 deletions
--- a/tests/build-hook-ca.nix
+++ b/tests/build-hook-ca.nix
@ -0,0 +1,52 @@
+{ busybox }:
+
+with import ./config.nix;
+
+let
+
+  mkDerivation = args:
+    derivation ({
+      inherit system;
+      builder = busybox;
+      args = ["sh" "-e" args.builder or (builtins.toFile "builder-${args.name}.sh" "if [ -e .attrs.sh ]; then source .attrs.sh; fi; eval \"$buildCommand\"")];
+      outputHashMode = "recursive";
+      outputHashAlgo = "sha256";
+    } // removeAttrs args ["builder" "meta"])
+    // { meta = args.meta or {}; };
+
+  input1 = mkDerivation {
+    shell = busybox;
+    name = "build-remote-input-1";
+    buildCommand = "echo FOO > $out";
+    outputHash = "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=";
+  };
+
+  input2 = mkDerivation {
+    shell = busybox;
+    name = "build-remote-input-2";
+    buildCommand = "echo BAR > $out";
+    outputHash = "sha256-XArauVH91AVwP9hBBQNlkX9ccuPpSYx9o0zeIHb6e+Q=";
+  };
+
+  input3 = mkDerivation {
+    shell = busybox;
+    name = "build-remote-input-3";
+    buildCommand = ''
+      read x < ${input2}
+      echo $x BAZ > $out
+    '';
+    outputHash = "sha256-daKAcPp/+BYMQsVi/YYMlCKoNAxCNDsaivwSHgQqD2s=";
+  };
+
+in
+
+  mkDerivation {
+    shell = busybox;
+    name = "build-remote";
+    buildCommand = ''
+      read x < ${input1}
+      read y < ${input3}
+      echo "$x $y" > $out
+    '';
+    outputHash = "sha256-5SxbkUw6xe2l9TE1uwCvTtTDysD1vhRor38OtDF0LqQ=";
+  }
--- a/tests/build-remote-trustless-should-fail-0.sh
+++ b/tests/build-remote-trustless-should-fail-0.sh
@ -0,0 +1,11 @@
+source common.sh
+
+# We act as if remote trusts us, but it doesn't. This fails since we are
+# building input-addressed derivations with `buildDerivation`, which
+# depends on trust.
+file=build-hook.nix
+prog=$(readlink -e ./nix-daemon-untrusting.sh)
+proto=ssh-ng
+trusting=true
+
+! source build-remote-trustless.sh
--- a/tests/build-remote-trustless-should-pass-0.sh
+++ b/tests/build-remote-trustless-should-pass-0.sh
@ -0,0 +1,9 @@
+source common.sh
+
+# Remote trusts us but we pretend it doesn't.
+file=build-hook.nix
+prog=nix-store
+proto=ssh
+trusting=false
+
+source build-remote-trustless.sh
--- a/tests/build-remote-trustless-should-pass-1.sh
+++ b/tests/build-remote-trustless-should-pass-1.sh
@ -0,0 +1,9 @@
+source common.sh
+
+# Remote trusts us but we pretend it doesn't.
+file=build-hook.nix
+prog=nix-daemon
+proto=ssh-ng
+trusting=false
+
+source build-remote-trustless.sh
--- a/tests/build-remote-trustless-should-pass-2.sh
+++ b/tests/build-remote-trustless-should-pass-2.sh
@ -0,0 +1,9 @@
+source common.sh
+
+# Remote doesn't trust us nor do we think it does
+file=build-hook.nix
+prog=$(readlink -e ./nix-daemon-untrusting.sh)
+proto=ssh-ng
+trusting=false
+
+source build-remote-trustless.sh
--- a/tests/build-remote-trustless-should-pass-3.sh
+++ b/tests/build-remote-trustless-should-pass-3.sh
@ -0,0 +1,10 @@
+source common.sh
+
+# We act as if remote trusts us, but it doesn't. This is fine because we
+# are only building (fixed) CA derivations.
+file=build-hook-ca.nix
+prog=$(readlink -e ./nix-daemon-untrusting.sh)
+proto=ssh-ng
+trusting=true
+
+source build-remote-trustless.sh
--- a/tests/build-remote-trustless.sh
+++ b/tests/build-remote-trustless.sh
@ -0,0 +1,18 @@
+if ! canUseSandbox; then exit; fi
+if ! [[ $busybox =~ busybox ]]; then exit; fi
+
+unset NIX_STORE_DIR
+unset NIX_STATE_DIR
+
+# Note: ssh://localhost bypasses ssh, directly invoking nix-store as a
+# child process. This allows us to test LegacySSHStore::buildDerivation().
+# ssh-ng://... likewise allows us to test RemoteStore::buildDerivation().
+
+nix build -L -v -f $file -o $TEST_ROOT/result --max-jobs 0 \
+  --arg busybox $busybox \
+  --store $TEST_ROOT/local \
+  --builders "$proto://localhost?remote-program=$prog&trusting=$trusting&remote-store=$TEST_ROOT/remote%3Fsystem-features=foo%20bar%20baz - - 1 1 foo,bar,baz"
+
+outPath=$(readlink -f $TEST_ROOT/result)
+
+grep 'FOO BAR BAZ' $TEST_ROOT/${subDir}/local${outPath}
--- a/tests/init.sh
+++ b/tests/init.sh
@ -17,7 +17,7 @@ cat > "$NIX_CONF_DIR"/nix.conf <<EOF
 build-users-group =
 keep-derivations = false
 sandbox = false
-experimental-features = nix-command flakes
+experimental-features = nix-command flakes nix-testing
 gc-reserved-space = 0
 flake-registry = $TEST_ROOT/registry.json
 include nix.conf.extra
--- a/tests/local.mk
+++ b/tests/local.mk
@ -15,6 +15,10 @@ nix_tests = \
  linux-sandbox.sh \
  build-dry.sh \
  build-remote.sh \
+  build-remote-trustless-should-pass-1.sh \
+  build-remote-trustless-should-pass-2.sh \
+  build-remote-trustless-should-pass-3.sh \
+  build-remote-trustless-should-fail-0.sh \
  nar-access.sh \
  structured-attrs.sh \
  fetchGit.sh \
@ -34,6 +38,7 @@ nix_tests = \
  recursive.sh \
  flakes.sh
  # parallel.sh
+  # build-remote-trustless-should-pass-0.sh # problem with legacy ssh-store only

 install-tests += $(foreach x, $(nix_tests), tests/$(x))

--- a/tests/nix-daemon-untrusting.sh
+++ b/tests/nix-daemon-untrusting.sh
@ -0,0 +1,3 @@
+#!/bin/sh
+
+exec nix-daemon --no-trust "$@"