mirror of
https://github.com/NixOS/nix
synced 2025-07-08 19:23:54 +02:00
Move most store-related commands to 'nix store'
This commit is contained in:
Eelco Dolstra
parent
a1cd805cba
commit
ea2062a2d9
17 changed files with 62 additions and 77 deletions
|
|
@ -188,7 +188,7 @@ unset _NIX_FORCE_HTTP
|
|||
|
||||
|
||||
# Test 'nix verify --all' on a binary cache.
|
||||
nix verify -vvvvv --all --store file://$cacheDir --no-trust
|
||||
nix store verify -vvvvv --all --store file://$cacheDir --no-trust
|
||||
|
||||
|
||||
# Test local NAR caching.
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@ other_store=file://$TEST_ROOT/other_store?store=/fnord/store
|
|||
|
||||
hash=$(nix hash file --type sha256 --base16 ./fetchurl.sh)
|
||||
|
||||
storePath=$(nix --store $other_store add-to-store --flat ./fetchurl.sh)
|
||||
storePath=$(nix --store $other_store store add-path --flat ./fetchurl.sh)
|
||||
|
||||
outPath=$(nix-build '<nix/fetchurl.nix>' --argstr url file:///no-such-dir/fetchurl.sh --argstr sha256 $hash --no-out-link --substituters $other_store)
|
||||
|
||||
|
|
|
|||
|
|
@ -2,9 +2,9 @@ source common.sh
|
|||
|
||||
clearStore
|
||||
|
||||
garbage1=$(nix add-to-store --name garbage1 ./nar-access.sh)
|
||||
garbage2=$(nix add-to-store --name garbage2 ./nar-access.sh)
|
||||
garbage3=$(nix add-to-store --name garbage3 ./nar-access.sh)
|
||||
garbage1=$(nix store add-path --name garbage1 ./nar-access.sh)
|
||||
garbage2=$(nix store add-path --name garbage2 ./nar-access.sh)
|
||||
garbage3=$(nix store add-path --name garbage3 ./nar-access.sh)
|
||||
|
||||
ls -l $garbage3
|
||||
POSIXLY_CORRECT=1 du $garbage3
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ clearStore
|
|||
|
||||
rm -f $TEST_ROOT/result
|
||||
|
||||
export unreachable=$(nix add-to-store ./recursive.sh)
|
||||
export unreachable=$(nix store add-path ./recursive.sh)
|
||||
|
||||
NIX_BIN_DIR=$(dirname $(type -p nix)) nix --experimental-features 'nix-command recursive-nix' build -o $TEST_ROOT/result -L --impure --expr '
|
||||
with import ./config.nix;
|
||||
|
|
@ -38,7 +38,7 @@ NIX_BIN_DIR=$(dirname $(type -p nix)) nix --experimental-features 'nix-command r
|
|||
|
||||
# Add something to the store.
|
||||
echo foobar > foobar
|
||||
foobar=$(nix $opts add-to-store ./foobar)
|
||||
foobar=$(nix $opts store add-path ./foobar)
|
||||
|
||||
nix $opts path-info $foobar
|
||||
nix $opts build $foobar
|
||||
|
|
|
|||
|
|
@ -17,40 +17,40 @@ info=$(nix path-info --json $outPath)
|
|||
[[ $info =~ 'cache1.example.org' ]]
|
||||
[[ $info =~ 'cache2.example.org' ]]
|
||||
|
||||
# Test "nix verify".
|
||||
nix verify -r $outPath
|
||||
# Test "nix store verify".
|
||||
nix store verify -r $outPath
|
||||
|
||||
expect 2 nix verify -r $outPath --sigs-needed 1
|
||||
expect 2 nix store verify -r $outPath --sigs-needed 1
|
||||
|
||||
nix verify -r $outPath --sigs-needed 1 --trusted-public-keys $pk1
|
||||
nix store verify -r $outPath --sigs-needed 1 --trusted-public-keys $pk1
|
||||
|
||||
expect 2 nix verify -r $outPath --sigs-needed 2 --trusted-public-keys $pk1
|
||||
expect 2 nix store verify -r $outPath --sigs-needed 2 --trusted-public-keys $pk1
|
||||
|
||||
nix verify -r $outPath --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
|
||||
nix store verify -r $outPath --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
|
||||
|
||||
nix verify --all --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
|
||||
nix store verify --all --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
|
||||
|
||||
# Build something unsigned.
|
||||
outPath2=$(nix-build simple.nix --no-out-link)
|
||||
|
||||
nix verify -r $outPath
|
||||
nix store verify -r $outPath
|
||||
|
||||
# Verify that the path did not get signed but does have the ultimate bit.
|
||||
info=$(nix path-info --json $outPath2)
|
||||
[[ $info =~ '"ultimate":true' ]]
|
||||
(! [[ $info =~ 'signatures' ]])
|
||||
|
||||
# Test "nix verify".
|
||||
nix verify -r $outPath2
|
||||
# Test "nix store verify".
|
||||
nix store verify -r $outPath2
|
||||
|
||||
expect 2 nix verify -r $outPath2 --sigs-needed 1
|
||||
expect 2 nix store verify -r $outPath2 --sigs-needed 1
|
||||
|
||||
expect 2 nix verify -r $outPath2 --sigs-needed 1 --trusted-public-keys $pk1
|
||||
expect 2 nix store verify -r $outPath2 --sigs-needed 1 --trusted-public-keys $pk1
|
||||
|
||||
# Test "nix sign-paths".
|
||||
nix sign-paths --key-file $TEST_ROOT/sk1 $outPath2
|
||||
# Test "nix store sign-paths".
|
||||
nix store sign-paths --key-file $TEST_ROOT/sk1 $outPath2
|
||||
|
||||
nix verify -r $outPath2 --sigs-needed 1 --trusted-public-keys $pk1
|
||||
nix store verify -r $outPath2 --sigs-needed 1 --trusted-public-keys $pk1
|
||||
|
||||
# Build something content-addressed.
|
||||
outPathCA=$(IMPURE_VAR1=foo IMPURE_VAR2=bar nix-build ./fixed.nix -A good.0 --no-out-link)
|
||||
|
|
@ -59,12 +59,12 @@ outPathCA=$(IMPURE_VAR1=foo IMPURE_VAR2=bar nix-build ./fixed.nix -A good.0 --no
|
|||
|
||||
# Content-addressed paths don't need signatures, so they verify
|
||||
# regardless of --sigs-needed.
|
||||
nix verify $outPathCA
|
||||
nix verify $outPathCA --sigs-needed 1000
|
||||
nix store verify $outPathCA
|
||||
nix store verify $outPathCA --sigs-needed 1000
|
||||
|
||||
# Check that signing a content-addressed path doesn't overflow validSigs
|
||||
nix sign-paths --key-file $TEST_ROOT/sk1 $outPathCA
|
||||
nix verify -r $outPathCA --sigs-needed 1000 --trusted-public-keys $pk1
|
||||
nix store sign-paths --key-file $TEST_ROOT/sk1 $outPathCA
|
||||
nix store verify -r $outPathCA --sigs-needed 1000 --trusted-public-keys $pk1
|
||||
|
||||
# Copy to a binary cache.
|
||||
nix copy --to file://$cacheDir $outPath2
|
||||
|
|
@ -76,7 +76,7 @@ info=$(nix path-info --store file://$cacheDir --json $outPath2)
|
|||
(! [[ $info =~ 'cache2.example.org' ]])
|
||||
|
||||
# Verify that adding a signature to a path in a binary cache works.
|
||||
nix sign-paths --store file://$cacheDir --key-file $TEST_ROOT/sk2 $outPath2
|
||||
nix store sign-paths --store file://$cacheDir --key-file $TEST_ROOT/sk2 $outPath2
|
||||
info=$(nix path-info --store file://$cacheDir --json $outPath2)
|
||||
[[ $info =~ 'cache1.example.org' ]]
|
||||
[[ $info =~ 'cache2.example.org' ]]
|
||||
|
|
@ -89,17 +89,17 @@ rm -rf $TEST_ROOT/store0
|
|||
# But succeed if we supply the public keys.
|
||||
nix copy --to $TEST_ROOT/store0 $outPath --trusted-public-keys $pk1
|
||||
|
||||
expect 2 nix verify --store $TEST_ROOT/store0 -r $outPath
|
||||
expect 2 nix store verify --store $TEST_ROOT/store0 -r $outPath
|
||||
|
||||
nix verify --store $TEST_ROOT/store0 -r $outPath --trusted-public-keys $pk1
|
||||
nix verify --store $TEST_ROOT/store0 -r $outPath --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
|
||||
nix store verify --store $TEST_ROOT/store0 -r $outPath --trusted-public-keys $pk1
|
||||
nix store verify --store $TEST_ROOT/store0 -r $outPath --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
|
||||
|
||||
# It should also succeed if we disable signature checking.
|
||||
(! nix copy --to $TEST_ROOT/store0 $outPath2)
|
||||
nix copy --to $TEST_ROOT/store0?require-sigs=false $outPath2
|
||||
|
||||
# But signatures should still get copied.
|
||||
nix verify --store $TEST_ROOT/store0 -r $outPath2 --trusted-public-keys $pk1
|
||||
nix store verify --store $TEST_ROOT/store0 -r $outPath2 --trusted-public-keys $pk1
|
||||
|
||||
# Content-addressed stuff can be copied without signatures.
|
||||
nix copy --to $TEST_ROOT/store0 $outPathCA
|
||||
|
|
|
|||
|
|
@ -11,6 +11,6 @@ store+=$remote_store
|
|||
store+=$remote_store
|
||||
store+=$remote_store
|
||||
|
||||
out=$(nix add-to-store --store "$store" $TEST_ROOT/hello.sh)
|
||||
out=$(nix store add-path --store "$store" $TEST_ROOT/hello.sh)
|
||||
|
||||
[ foo = $(< $out) ]
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue