Remove signRealisation from drv goal

We can move this method from `LocalStore` to `Store` --- even if we only want the actual builder to sign things in many cases, there is no reason to try to enforce this policy by spurious moving the method to a subclass. Now, we might technically sign class, but CA derivations is experimental, and @Ericson2314 is going to revisit all this stuff with issue #11896 anyways.
2025-06-26 20:01:15 +02:00 · 2025-03-10 23:21:03 +00:00 · 2025-03-10 23:21:03 +00:00 · db8439c328
commit db8439c328
parent 0e7e1f5b57
8 changed files with 17 additions and 28 deletions
--- a/src/libstore/build/derivation-goal.cc
+++ b/src/libstore/build/derivation-goal.cc
@ -1047,7 +1047,7 @@ Goal::Co DerivationGoal::resolvedFinished()
                        : worker.store;
                    newRealisation.dependentRealisations = drvOutputReferences(worker.store, *drv, realisation.outPath, &drvStore);
                }
-                signRealisation(newRealisation);
+                worker.store.signRealisation(newRealisation);
                worker.store.registerDrvOutput(newRealisation);
            }
            outputPaths.insert(realisation.outPath);
--- a/src/libstore/build/derivation-goal.hh
+++ b/src/libstore/build/derivation-goal.hh
@ -267,11 +267,6 @@ struct DerivationGoal : public Goal
     */
    Path openLogFile();

-    /**
-     * Sign the newly built realisation if the store allows it
-     */
-    virtual void signRealisation(Realisation&) {}
-
    /**
     * Close the log file.
     */
--- a/src/libstore/local-store.cc
+++ b/src/libstore/local-store.cc
@ -1585,19 +1585,6 @@ void LocalStore::addSignatures(const StorePath & storePath, const StringSet & si
 }


-void LocalStore::signRealisation(Realisation & realisation)
-{
-    // FIXME: keep secret keys in memory.
-
-    auto secretKeyFiles = settings.secretKeyFiles;
-
-    for (auto & secretKeyFile : secretKeyFiles.get()) {
-        SecretKey secretKey(readFile(secretKeyFile));
-        LocalSigner signer(std::move(secretKey));
-        realisation.sign(signer);
-    }
-}
-
 void LocalStore::signPathInfo(ValidPathInfo & info)
 {
    // FIXME: keep secret keys in memory.
--- a/src/libstore/local-store.hh
+++ b/src/libstore/local-store.hh
@ -401,7 +401,6 @@ private:
     * specified by the ‘secret-key-files’ option.
     */
    void signPathInfo(ValidPathInfo & info);
-    void signRealisation(Realisation &);

    void addBuildLog(const StorePath & drvPath, std::string_view log) override;

--- a/src/libstore/store-api.cc
+++ b/src/libstore/store-api.cc
@ -1274,6 +1274,19 @@ Derivation Store::readDerivation(const StorePath & drvPath)
 Derivation Store::readInvalidDerivation(const StorePath & drvPath)
 { return readDerivationCommon(*this, drvPath, false); }

+void Store::signRealisation(Realisation & realisation)
+{
+    // FIXME: keep secret keys in memory.
+
+    auto secretKeyFiles = settings.secretKeyFiles;
+
+    for (auto & secretKeyFile : secretKeyFiles.get()) {
+        SecretKey secretKey(readFile(secretKeyFile));
+        LocalSigner signer(std::move(secretKey));
+        realisation.sign(signer);
+    }
+}
+
 }


--- a/src/libstore/store-api.hh
+++ b/src/libstore/store-api.hh
@ -622,6 +622,8 @@ public:
    virtual void addSignatures(const StorePath & storePath, const StringSet & sigs)
    { unsupported("addSignatures"); }

+    void signRealisation(Realisation &);
+
    /* Utility functions. */

    /**
--- a/src/libstore/unix/build/local-derivation-goal.cc
+++ b/src/libstore/unix/build/local-derivation-goal.cc
@ -2872,7 +2872,7 @@ SingleDrvOutputs LocalDerivationGoal::registerOutputs()
        if (experimentalFeatureSettings.isEnabled(Xp::CaDerivations)
            && !drv->type().isImpure())
        {
-            signRealisation(thisRealisation);
+            worker.store.signRealisation(thisRealisation);
            worker.store.registerDrvOutput(thisRealisation);
        }
        builtOutputs.emplace(outputName, thisRealisation);
@ -2881,11 +2881,6 @@ SingleDrvOutputs LocalDerivationGoal::registerOutputs()
    return builtOutputs;
 }

-void LocalDerivationGoal::signRealisation(Realisation & realisation)
-{
-    getLocalStore().signRealisation(realisation);
-}
-

 void LocalDerivationGoal::checkOutputs(const std::map<std::string, ValidPathInfo> & outputs)
 {
--- a/src/libstore/unix/build/local-derivation-goal.hh
+++ b/src/libstore/unix/build/local-derivation-goal.hh
@ -241,8 +241,6 @@ struct LocalDerivationGoal : public DerivationGoal
     */
    SingleDrvOutputs registerOutputs();

-    void signRealisation(Realisation &) override;
-
    /**
     * Check that an output meets the requirements specified by the
     * 'outputChecks' attribute (or the legacy