Browse Source
* guix/scripts/authenticate.scm, nix/scripts/guix-authenticate.in, tests/signing-key.pub, tests/signing-key.sec: New files. * po/POTFILES.in: Add 'guix/scripts/authenticate.scm'. * guix/store.scm (dump-port): New procedure. (process-stderr): Add 'user-port' optional parameter. Handle the %STDERR-WRITE and %STDERR-READ cases as expected. (import-paths, export-path, export-paths): New procedures. * tests/store.scm ("export/import several paths", "import corrupt path"): New tests. * Makefile.am (MODULES): Add 'guix/scripts/authenticate.scm'. (EXTRA_DIST): Add 'tests/signing-key.{pub,sec}'. * daemon.am (libstore_a_CPPFLAGS)[-DNIX_CONF_DIR]: Change 'NIX_CONF_DIR' to .../guix. Change 'OPENSSL_PATH' to 'guix-authenticate'. * config-daemon.ac: Instantiate 'nix/scripts/guix-authenticate'. * nix/nix-daemon/guix-daemon.cc (main): Augment $PATH to include 'settings.nixLibexecDir'. * test-env.in: Export 'NIX_CONF_DIR' and 'NIX_LIBEXEC_DIR'. Populate $NIX_CONF_DIR.version-0.8.3

13 changed files with 273 additions and 7 deletions
@ -0,0 +1,98 @@ |
|||
;;; GNU Guix --- Functional package management for GNU |
|||
;;; Copyright © 2013 Ludovic Courtès <ludo@gnu.org> |
|||
;;; |
|||
;;; This file is part of GNU Guix. |
|||
;;; |
|||
;;; GNU Guix is free software; you can redistribute it and/or modify it |
|||
;;; under the terms of the GNU General Public License as published by |
|||
;;; the Free Software Foundation; either version 3 of the License, or (at |
|||
;;; your option) any later version. |
|||
;;; |
|||
;;; GNU Guix is distributed in the hope that it will be useful, but |
|||
;;; WITHOUT ANY WARRANTY; without even the implied warranty of |
|||
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|||
;;; GNU General Public License for more details. |
|||
;;; |
|||
;;; You should have received a copy of the GNU General Public License |
|||
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. |
|||
|
|||
(define-module (guix scripts authenticate) |
|||
#:use-module (guix config) |
|||
#:use-module (guix utils) |
|||
#:use-module (guix pk-crypto) |
|||
#:use-module (guix ui) |
|||
#:use-module (rnrs io ports) |
|||
#:use-module (ice-9 match) |
|||
#:export (guix-authenticate)) |
|||
|
|||
;;; Commentary: |
|||
;;; |
|||
;;; This program is used internally by the daemon to sign exported archive |
|||
;;; (the 'export-paths' RPC), and to authenticate imported archives (the |
|||
;;; 'import-paths' RPC.) |
|||
;;; |
|||
;;; Code: |
|||
|
|||
(define (read-gcry-sexp file) |
|||
"Read a gcrypt sexp from FILE and return it." |
|||
(call-with-input-file file |
|||
(compose string->gcry-sexp get-string-all))) |
|||
|
|||
(define (read-hash-data file) |
|||
"Read sha256 hash data from FILE and return it as a gcrypt sexp." |
|||
(let* ((hex (call-with-input-file file get-string-all)) |
|||
(bv (base16-string->bytevector (string-trim-both hex)))) |
|||
(bytevector->hash-data bv))) |
|||
|
|||
|
|||
;;; |
|||
;;; Entry point with 'openssl'-compatible interface. We support this |
|||
;;; interface because that's what the daemon expects, and we want to leave it |
|||
;;; unmodified currently. |
|||
;;; |
|||
|
|||
(define (guix-authenticate . args) |
|||
(match args |
|||
(("rsautl" "-sign" "-inkey" key "-in" hash-file) |
|||
;; Sign the hash in HASH-FILE with KEY, and return an sexp that includes |
|||
;; both the hash and the actual signature. |
|||
(let* ((secret-key (read-gcry-sexp key)) |
|||
(data (read-hash-data hash-file))) |
|||
(format #t |
|||
"(guix-signature ~a (payload ~a))" |
|||
(gcry-sexp->string (sign data secret-key)) |
|||
(gcry-sexp->string data)) |
|||
#t)) |
|||
(("rsautl" "-verify" "-inkey" key "-pubin" "-in" signature-file) |
|||
;; Read the signature as produced above, check it against KEY, and print |
|||
;; the signed data to stdout upon success. |
|||
(let* ((public-key (read-gcry-sexp key)) |
|||
(sig+data (read-gcry-sexp signature-file)) |
|||
(data (find-sexp-token sig+data 'payload)) |
|||
(signature (find-sexp-token sig+data 'sig-val))) |
|||
(if (and data signature) |
|||
(if (verify signature data public-key) |
|||
(begin |
|||
(display (bytevector->base16-string |
|||
(hash-data->bytevector data))) |
|||
#t) ; success |
|||
(begin |
|||
(format (current-error-port) |
|||
"error: invalid signature: ~a~%" |
|||
(gcry-sexp->string signature)) |
|||
(exit 1))) |
|||
(begin |
|||
(format (current-error-port) |
|||
"error: corrupt signature data: ~a~%" |
|||
(gcry-sexp->string sig+data)) |
|||
(exit 1))))) |
|||
(("--help") |
|||
(display (_ "Usage: guix authenticate OPTION... |
|||
Sign or verify the signature on the given file. This tool is meant to |
|||
be used internally by 'guix-daemon'.\n"))) |
|||
(("--version") |
|||
(show-version-and-exit "guix authenticate")) |
|||
(else |
|||
(leave (_ "wrong arguments"))))) |
|||
|
|||
;;; authenticate.scm ends here |
@ -0,0 +1,11 @@ |
|||
#!@SHELL@ |
|||
# A shorthand for "guix authenticate", for use by the daemon. |
|||
|
|||
if test "x$GUIX_UNINSTALLED" = "x" |
|||
then |
|||
prefix="@prefix@" |
|||
exec_prefix="@exec_prefix@" |
|||
exec "@bindir@/guix" authenticate "$@" |
|||
else |
|||
exec guix authenticate "$@" |
|||
fi |
@ -0,0 +1,4 @@ |
|||
(public-key |
|||
(rsa |
|||
(n #00C1F764069F54FFE93A126B02328903E984E4AE3AF6DF402B5B6B3907911B88C385F1BA76A002EC9DEA109A5228EF0E62EE31A06D1A5861CAB474F6C857AC66EB65A1905F25BBA1869579E73A3B7FED13AF5A1667326F88CDFC2FF24B03C14FD1384AA7E73CA89572880B606E3A974E15347963FC7B6378574936A47580DBCB45#) |
|||
(e #010001#))) |
@ -0,0 +1,8 @@ |
|||
(private-key |
|||
(rsa |
|||
(n #00C1F764069F54FFE93A126B02328903E984E4AE3AF6DF402B5B6B3907911B88C385F1BA76A002EC9DEA109A5228EF0E62EE31A06D1A5861CAB474F6C857AC66EB65A1905F25BBA1869579E73A3B7FED13AF5A1667326F88CDFC2FF24B03C14FD1384AA7E73CA89572880B606E3A974E15347963FC7B6378574936A47580DBCB45#) |
|||
(e #010001#) |
|||
(d #58CAD84653D0046A8EC3F9AA82D9C829B145422109FC3F12DA01A694B92FA296E70D366FB166454D30E632CEE3A033B4C41781BA10325F69FCDC0250CA19C8EEB352FA085992494098DB133E682ED38A931701F0DED1A1E508F4341A4FB446A04F019427C7CB3C44F251EEA9D386100DA80F125E0FD5CE1B0DFEC6D21516EACD#) |
|||
(p #00D47F185147EC39393CCDA4E7323FFC20FC8B8073E2A54DD63BA392A66975E4204CA48572496A9DFD7522436B852C07472A5AB25B7706F7C14E6F33FBC420FF3B#) |
|||
(q #00E9AD22F158060BC9AE3601DA623AFC60FFF3058795802CA92371C00097335CF9A23D7782DE353C9DBA93D7BB99E6A24A411107605E722481C5C191F80D7EB77F#) |
|||
(u #59B45B95AE01A7A7370FAFDB08FE73A4793CE37F228961B09B1B1E7DDAD9F8D3E28F5C5E8B4B067E6B8E0BBF3F690B42991A79E46108DDCDA2514323A66964DE#))) |
Loading…
Reference in new issue