Use libsodium instead of OpenSSL for binary cache signing

Sodium's Ed25519 signatures are much shorter than OpenSSL's RSA signatures. Public keys are also much shorter, so they're now specified directly in the nix.conf option ‘binary-cache-public-keys’. The new command ‘nix-store --generate-binary-cache-key’ generates and prints a public and secret key.
2025-07-06 21:41:48 +02:00 · 2015-02-04 16:43:32 +01:00 · 2015-02-04 16:43:32 +01:00 · e0def5bc4b
commit e0def5bc4b
parent 0d1dafa0c4
15 changed files with 196 additions and 91 deletions
--- a/src/nix-store/local.mk
+++ b/src/nix-store/local.mk
@ -6,6 +6,6 @@ nix-store_SOURCES := $(wildcard $(d)/*.cc)

 nix-store_LIBS = libmain libstore libutil libformat

-nix-store_LDFLAGS = -lbz2 -pthread
+nix-store_LDFLAGS = -lbz2 -pthread $(SODIUM_LIBS)

 nix-store_CXXFLAGS = -DCURL=\"$(curl)\"
--- a/src/nix-store/nix-store.cc
+++ b/src/nix-store/nix-store.cc
@ -20,6 +20,8 @@

 #include <bzlib.h>

+#include <sodium.h>
+

 using namespace nix;
 using std::cin;
@ -1006,6 +1008,32 @@ static void opServe(Strings opFlags, Strings opArgs)
 }


+static void opGenerateBinaryCacheKey(Strings opFlags, Strings opArgs)
+{
+    foreach (Strings::iterator, i, opFlags)
+        throw UsageError(format("unknown flag ‘%1%’") % *i);
+
+    if (opArgs.size() != 1) throw UsageError("one argument expected");
+    string keyName = opArgs.front();
+
+    sodium_init();
+
+    unsigned char pk[crypto_sign_PUBLICKEYBYTES];
+    unsigned char sk[crypto_sign_SECRETKEYBYTES];
+    if (crypto_sign_keypair(pk, sk) != 0)
+        throw Error("key generation failed");
+
+    // FIXME: super ugly way to do base64 encoding.
+    auto args = Strings({"-MMIME::Base64", "-0777", "-ne", "print encode_base64($_, '')"});
+
+    string pk64 = runProgram("perl", true, args, string((char *) pk, crypto_sign_PUBLICKEYBYTES));
+    std::cout << keyName << ":" << pk64 << std::endl;
+
+    string sk64 = runProgram("perl", true, args, string((char *) sk, crypto_sign_SECRETKEYBYTES));
+    std::cout << keyName << ":" << sk64 << std::endl;
+}
+
+
 /* Scan the arguments; find the operation, set global flags, put all
   other flags in a list, and put all other arguments in another
   list. */
@ -1072,14 +1100,16 @@ int main(int argc, char * * argv)
                op = opQueryFailedPaths;
            else if (*arg == "--clear-failed-paths")
                op = opClearFailedPaths;
+            else if (*arg == "--serve")
+                op = opServe;
+            else if (*arg == "--generate-binary-cache-key")
+                op = opGenerateBinaryCacheKey;
            else if (*arg == "--add-root")
                gcRoot = absPath(getArg(*arg, arg, end));
            else if (*arg == "--indirect")
                indirectRoot = true;
            else if (*arg == "--no-output")
                noOutput = true;
-            else if (*arg == "--serve")
-                op = opServe;
            else if (*arg != "" && arg->at(0) == '-') {
                opFlags.push_back(*arg);
                if (*arg == "--max-freed" || *arg == "--max-links" || *arg == "--max-atime") /* !!! hack */