wroclaw-git-backups/nix
1
0
Fork 0
mirror of https://github.com/NixOS/nix synced 2025-06-29 10:31:15 +02:00
Code Activity

Include NAR size in fingerprint computation

Browse source 
This is not strictly needed for integrity (since we already include
the NAR hash in the fingerprint) but it helps against endless data
attacks [1]. (However, this will also require
download-from-binary-cache.pl to bail out if it receives more than the
specified number of bytes.)

[1] https://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.pdf
This commit is contained in:
Eelco Dolstra 2015-02-17 13:16:58 +01:00
parent 8c8750ae66
commit f19b4abfb2
3 changed files with 5 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

2
scripts/nix-push.in
View file

@ -257,7 +257,7 @@ for (my $n = 0; $n < scalar @storePaths2; $n++) {
chomp $s;
my ($keyName, $secretKey) = split ":", $s;
die "invalid secret key file $secretKeyFile\n" unless defined $keyName && defined $secretKey;
my $fingerprint = fingerprintPath($storePath, $narHash, $refs);
my $fingerprint = fingerprintPath($storePath, $narHash, $narSize, $refs);
my $sig = encode_base64(signString(decode_base64($secretKey), $fingerprint), "");
$info .= "Sig: $keyName:$sig\n";
}