1
0
Fork 0
mirror of https://github.com/NixOS/nix synced 2025-07-08 19:23:54 +02:00

Move most store-related commands to 'nix store'

This commit is contained in:
Eelco Dolstra 2020-07-24 20:38:56 +02:00
parent a1cd805cba
commit ea2062a2d9
17 changed files with 62 additions and 77 deletions

View file

@ -188,7 +188,7 @@ unset _NIX_FORCE_HTTP
# Test 'nix verify --all' on a binary cache.
nix verify -vvvvv --all --store file://$cacheDir --no-trust
nix store verify -vvvvv --all --store file://$cacheDir --no-trust
# Test local NAR caching.

View file

@ -36,7 +36,7 @@ other_store=file://$TEST_ROOT/other_store?store=/fnord/store
hash=$(nix hash file --type sha256 --base16 ./fetchurl.sh)
storePath=$(nix --store $other_store add-to-store --flat ./fetchurl.sh)
storePath=$(nix --store $other_store store add-path --flat ./fetchurl.sh)
outPath=$(nix-build '<nix/fetchurl.nix>' --argstr url file:///no-such-dir/fetchurl.sh --argstr sha256 $hash --no-out-link --substituters $other_store)

View file

@ -2,9 +2,9 @@ source common.sh
clearStore
garbage1=$(nix add-to-store --name garbage1 ./nar-access.sh)
garbage2=$(nix add-to-store --name garbage2 ./nar-access.sh)
garbage3=$(nix add-to-store --name garbage3 ./nar-access.sh)
garbage1=$(nix store add-path --name garbage1 ./nar-access.sh)
garbage2=$(nix store add-path --name garbage2 ./nar-access.sh)
garbage3=$(nix store add-path --name garbage3 ./nar-access.sh)
ls -l $garbage3
POSIXLY_CORRECT=1 du $garbage3

View file

@ -7,7 +7,7 @@ clearStore
rm -f $TEST_ROOT/result
export unreachable=$(nix add-to-store ./recursive.sh)
export unreachable=$(nix store add-path ./recursive.sh)
NIX_BIN_DIR=$(dirname $(type -p nix)) nix --experimental-features 'nix-command recursive-nix' build -o $TEST_ROOT/result -L --impure --expr '
with import ./config.nix;
@ -38,7 +38,7 @@ NIX_BIN_DIR=$(dirname $(type -p nix)) nix --experimental-features 'nix-command r
# Add something to the store.
echo foobar > foobar
foobar=$(nix $opts add-to-store ./foobar)
foobar=$(nix $opts store add-path ./foobar)
nix $opts path-info $foobar
nix $opts build $foobar

View file

@ -17,40 +17,40 @@ info=$(nix path-info --json $outPath)
[[ $info =~ 'cache1.example.org' ]]
[[ $info =~ 'cache2.example.org' ]]
# Test "nix verify".
nix verify -r $outPath
# Test "nix store verify".
nix store verify -r $outPath
expect 2 nix verify -r $outPath --sigs-needed 1
expect 2 nix store verify -r $outPath --sigs-needed 1
nix verify -r $outPath --sigs-needed 1 --trusted-public-keys $pk1
nix store verify -r $outPath --sigs-needed 1 --trusted-public-keys $pk1
expect 2 nix verify -r $outPath --sigs-needed 2 --trusted-public-keys $pk1
expect 2 nix store verify -r $outPath --sigs-needed 2 --trusted-public-keys $pk1
nix verify -r $outPath --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
nix store verify -r $outPath --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
nix verify --all --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
nix store verify --all --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
# Build something unsigned.
outPath2=$(nix-build simple.nix --no-out-link)
nix verify -r $outPath
nix store verify -r $outPath
# Verify that the path did not get signed but does have the ultimate bit.
info=$(nix path-info --json $outPath2)
[[ $info =~ '"ultimate":true' ]]
(! [[ $info =~ 'signatures' ]])
# Test "nix verify".
nix verify -r $outPath2
# Test "nix store verify".
nix store verify -r $outPath2
expect 2 nix verify -r $outPath2 --sigs-needed 1
expect 2 nix store verify -r $outPath2 --sigs-needed 1
expect 2 nix verify -r $outPath2 --sigs-needed 1 --trusted-public-keys $pk1
expect 2 nix store verify -r $outPath2 --sigs-needed 1 --trusted-public-keys $pk1
# Test "nix sign-paths".
nix sign-paths --key-file $TEST_ROOT/sk1 $outPath2
# Test "nix store sign-paths".
nix store sign-paths --key-file $TEST_ROOT/sk1 $outPath2
nix verify -r $outPath2 --sigs-needed 1 --trusted-public-keys $pk1
nix store verify -r $outPath2 --sigs-needed 1 --trusted-public-keys $pk1
# Build something content-addressed.
outPathCA=$(IMPURE_VAR1=foo IMPURE_VAR2=bar nix-build ./fixed.nix -A good.0 --no-out-link)
@ -59,12 +59,12 @@ outPathCA=$(IMPURE_VAR1=foo IMPURE_VAR2=bar nix-build ./fixed.nix -A good.0 --no
# Content-addressed paths don't need signatures, so they verify
# regardless of --sigs-needed.
nix verify $outPathCA
nix verify $outPathCA --sigs-needed 1000
nix store verify $outPathCA
nix store verify $outPathCA --sigs-needed 1000
# Check that signing a content-addressed path doesn't overflow validSigs
nix sign-paths --key-file $TEST_ROOT/sk1 $outPathCA
nix verify -r $outPathCA --sigs-needed 1000 --trusted-public-keys $pk1
nix store sign-paths --key-file $TEST_ROOT/sk1 $outPathCA
nix store verify -r $outPathCA --sigs-needed 1000 --trusted-public-keys $pk1
# Copy to a binary cache.
nix copy --to file://$cacheDir $outPath2
@ -76,7 +76,7 @@ info=$(nix path-info --store file://$cacheDir --json $outPath2)
(! [[ $info =~ 'cache2.example.org' ]])
# Verify that adding a signature to a path in a binary cache works.
nix sign-paths --store file://$cacheDir --key-file $TEST_ROOT/sk2 $outPath2
nix store sign-paths --store file://$cacheDir --key-file $TEST_ROOT/sk2 $outPath2
info=$(nix path-info --store file://$cacheDir --json $outPath2)
[[ $info =~ 'cache1.example.org' ]]
[[ $info =~ 'cache2.example.org' ]]
@ -89,17 +89,17 @@ rm -rf $TEST_ROOT/store0
# But succeed if we supply the public keys.
nix copy --to $TEST_ROOT/store0 $outPath --trusted-public-keys $pk1
expect 2 nix verify --store $TEST_ROOT/store0 -r $outPath
expect 2 nix store verify --store $TEST_ROOT/store0 -r $outPath
nix verify --store $TEST_ROOT/store0 -r $outPath --trusted-public-keys $pk1
nix verify --store $TEST_ROOT/store0 -r $outPath --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
nix store verify --store $TEST_ROOT/store0 -r $outPath --trusted-public-keys $pk1
nix store verify --store $TEST_ROOT/store0 -r $outPath --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
# It should also succeed if we disable signature checking.
(! nix copy --to $TEST_ROOT/store0 $outPath2)
nix copy --to $TEST_ROOT/store0?require-sigs=false $outPath2
# But signatures should still get copied.
nix verify --store $TEST_ROOT/store0 -r $outPath2 --trusted-public-keys $pk1
nix store verify --store $TEST_ROOT/store0 -r $outPath2 --trusted-public-keys $pk1
# Content-addressed stuff can be copied without signatures.
nix copy --to $TEST_ROOT/store0 $outPathCA

View file

@ -11,6 +11,6 @@ store+=$remote_store
store+=$remote_store
store+=$remote_store
out=$(nix add-to-store --store "$store" $TEST_ROOT/hello.sh)
out=$(nix store add-path --store "$store" $TEST_ROOT/hello.sh)
[ foo = $(< $out) ]