2014-03-29 00:06:41 +01:00
|
|
|
|
;;; GNU Guix --- Functional package management for GNU
|
|
|
|
|
|
;;; Copyright © 2014 Nikita Karetnikov <nikita@karetnikov.org>
|
substitute: Download from unauthorized sources that provide the right content.
This allows substitutes to be downloaded from unauthorized servers, as
long as they advertise the same hash and references as one of the
authorized servers.
* guix/scripts/substitute.scm (assert-valid-narinfo): Remove.
(valid-narinfo?): Add #:verbose?. Handle each case of
'signature-case'.
(equivalent-narinfo?): New procedure.
(lookup-narinfos/diverse): Add 'authorized?' parameter and honor it.
[select-hit]: New procedure.
(lookup-narinfo): Add 'authorized?' parameter and pass it.
(process-query): Adjust callers accordingly.
(process-substitution): Remove call to 'assert-valid-narinfo'. Check
whether 'lookup-narinfo' returns true and call 'leave' if not.
* tests/substitute.scm (%main-substitute-directory)
(%alternate-substitute-directory): New variables.
(call-with-narinfo): Make 'narinfo-directory' a parameter. Call
'mkdir-p' to create it. Change unwind handler to check whether
CACHE-DIRECTORY exists before deleting it.
(with-narinfo*): New macro.
("substitute, no signature")
("substitute, invalid hash")
("substitute, unauthorized key"): Change expected error message to "no
valid substitute".
("substitute, unauthorized narinfo comes first")
("substitute, unsigned narinfo comes first")
("substitute, first narinfo is unsigned and has wrong hash")
("substitute, first narinfo is unsigned and has wrong refs")
("substitute, unsigned narinfo comes first")
("substitute, two invalid narinfos"): New tests.
* doc/guix.texi (Substitutes): Explain the new behavior.
2017-09-01 00:15:31 +02:00
|
|
|
|
;;; Copyright © 2014, 2015, 2017 Ludovic Courtès <ludo@gnu.org>
|
2014-03-29 00:06:41 +01:00
|
|
|
|
;;;
|
|
|
|
|
|
;;; This file is part of GNU Guix.
|
|
|
|
|
|
;;;
|
|
|
|
|
|
;;; GNU Guix is free software; you can redistribute it and/or modify it
|
|
|
|
|
|
;;; under the terms of the GNU General Public License as published by
|
|
|
|
|
|
;;; the Free Software Foundation; either version 3 of the License, or (at
|
|
|
|
|
|
;;; your option) any later version.
|
|
|
|
|
|
;;;
|
|
|
|
|
|
;;; GNU Guix is distributed in the hope that it will be useful, but
|
|
|
|
|
|
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
|
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
|
;;; GNU General Public License for more details.
|
|
|
|
|
|
;;;
|
|
|
|
|
|
;;; You should have received a copy of the GNU General Public License
|
|
|
|
|
|
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
|
2015-03-25 10:34:27 +01:00
|
|
|
|
(define-module (test-substitute)
|
|
|
|
|
|
#:use-module (guix scripts substitute)
|
2014-03-29 00:06:41 +01:00
|
|
|
|
#:use-module (guix base64)
|
|
|
|
|
|
#:use-module (guix hash)
|
Break module cycle involving (guix store) and (guix ui).
Before, there was a cycle along the lines of:
(guix store) -> (guix nar) -> (guix ui) -> (guix store)
This caused problems, as discussed at:
http://lists.gnu.org/archive/html/guix-devel/2014-10/msg00109.html
This patch removes cycles in the (guix ...) modules.
* guix/nar.scm (&nar-error, &nar-read-error, dump, write-contents,
read-contents, %archive-version-1, write-file, restore-file): Move to...
* guix/serialization.scm: ... here.
* guix/store.scm: Remove dependency on (guix nar).
* guix/scripts/hash.scm, guix/scripts/offload.scm,
guix/scripts/substitute-binary.scm, tests/nar.scm, tests/store.scm,
tests/substitute-binary.scm: Adjust accordingly.
2014-10-09 23:46:13 +02:00
|
|
|
|
#:use-module (guix serialization)
|
2014-03-29 00:06:41 +01:00
|
|
|
|
#:use-module (guix pk-crypto)
|
|
|
|
|
|
#:use-module (guix pki)
|
substitute-binary: Defer narinfo authentication and authorization checks.
* guix/scripts/substitute-binary.scm (narinfo-signature->canonical-sexp):
Catch 'gcry-error' around 'string->canonical-sexp' call, and re-raise
as a SRFI-35 &message and &nar-signature-error.
(narinfo-maker): Handle when SIGNATURE is #f or an invalid canonical
sexp.
(&nar-signature-error, &nar-invalid-hash-error): New variables.
(assert-valid-signature): Use them. Expect 'signature' to be a
canonical sexp.
(read-narinfo): Remove authentication and authorization checks.
(%signature-line-rx): New variable.
(assert-valid-narinfo, valid-narinfo?): New procedures.
(guix-substitute-binary): Wrap body in 'with-error-handling'.
[valid?]: New procedure.
<--query>: Show only store items of narinfos that match
'valid-narinfo?'.
<--substitute>: Call 'assert-valid-narinfo'.
* tests/substitute-binary.scm (test-error*): Use 'test-equal'.
(%keypair): Remove.
(%public-key, %private-key): Load from signing-key.{pub,sec}.
(signature-body): Add #:public-key parameter.
(call-with-narinfo): New procedure.
(with-narinfo): New macro.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Make the first argument to 'assert-valid-signature' a
canonical sexp.
("invalid hash", "valid read-narinfo", "valid write-narinfo"):
Remove.
("query narinfo with invalid hash", "query narinfo signed with
authorized key", "query narinfo signed with unauthorized key",
"substitute, invalid hash", "substitute, unauthorized key"): New
tests.
2014-03-30 22:29:35 +02:00
|
|
|
|
#:use-module (guix config)
|
2014-03-30 22:11:22 +02:00
|
|
|
|
#:use-module (guix base32)
|
substitute-binary: Defer narinfo authentication and authorization checks.
* guix/scripts/substitute-binary.scm (narinfo-signature->canonical-sexp):
Catch 'gcry-error' around 'string->canonical-sexp' call, and re-raise
as a SRFI-35 &message and &nar-signature-error.
(narinfo-maker): Handle when SIGNATURE is #f or an invalid canonical
sexp.
(&nar-signature-error, &nar-invalid-hash-error): New variables.
(assert-valid-signature): Use them. Expect 'signature' to be a
canonical sexp.
(read-narinfo): Remove authentication and authorization checks.
(%signature-line-rx): New variable.
(assert-valid-narinfo, valid-narinfo?): New procedures.
(guix-substitute-binary): Wrap body in 'with-error-handling'.
[valid?]: New procedure.
<--query>: Show only store items of narinfos that match
'valid-narinfo?'.
<--substitute>: Call 'assert-valid-narinfo'.
* tests/substitute-binary.scm (test-error*): Use 'test-equal'.
(%keypair): Remove.
(%public-key, %private-key): Load from signing-key.{pub,sec}.
(signature-body): Add #:public-key parameter.
(call-with-narinfo): New procedure.
(with-narinfo): New macro.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Make the first argument to 'assert-valid-signature' a
canonical sexp.
("invalid hash", "valid read-narinfo", "valid write-narinfo"):
Remove.
("query narinfo with invalid hash", "query narinfo signed with
authorized key", "query narinfo signed with unauthorized key",
"substitute, invalid hash", "substitute, unauthorized key"): New
tests.
2014-03-30 22:29:35 +02:00
|
|
|
|
#:use-module ((guix store) #:select (%store-prefix))
|
2014-03-30 22:25:47 +02:00
|
|
|
|
#:use-module ((guix ui) #:select (guix-warning-port))
|
substitute: Download from unauthorized sources that provide the right content.
This allows substitutes to be downloaded from unauthorized servers, as
long as they advertise the same hash and references as one of the
authorized servers.
* guix/scripts/substitute.scm (assert-valid-narinfo): Remove.
(valid-narinfo?): Add #:verbose?. Handle each case of
'signature-case'.
(equivalent-narinfo?): New procedure.
(lookup-narinfos/diverse): Add 'authorized?' parameter and honor it.
[select-hit]: New procedure.
(lookup-narinfo): Add 'authorized?' parameter and pass it.
(process-query): Adjust callers accordingly.
(process-substitution): Remove call to 'assert-valid-narinfo'. Check
whether 'lookup-narinfo' returns true and call 'leave' if not.
* tests/substitute.scm (%main-substitute-directory)
(%alternate-substitute-directory): New variables.
(call-with-narinfo): Make 'narinfo-directory' a parameter. Call
'mkdir-p' to create it. Change unwind handler to check whether
CACHE-DIRECTORY exists before deleting it.
(with-narinfo*): New macro.
("substitute, no signature")
("substitute, invalid hash")
("substitute, unauthorized key"): Change expected error message to "no
valid substitute".
("substitute, unauthorized narinfo comes first")
("substitute, unsigned narinfo comes first")
("substitute, first narinfo is unsigned and has wrong hash")
("substitute, first narinfo is unsigned and has wrong refs")
("substitute, unsigned narinfo comes first")
("substitute, two invalid narinfos"): New tests.
* doc/guix.texi (Substitutes): Explain the new behavior.
2017-09-01 00:15:31 +02:00
|
|
|
|
#:use-module ((guix build utils)
|
|
|
|
|
|
#:select (mkdir-p delete-file-recursively))
|
|
|
|
|
|
#:use-module (guix tests http)
|
2014-03-29 00:06:41 +01:00
|
|
|
|
#:use-module (rnrs bytevectors)
|
substitute-binary: Defer narinfo authentication and authorization checks.
* guix/scripts/substitute-binary.scm (narinfo-signature->canonical-sexp):
Catch 'gcry-error' around 'string->canonical-sexp' call, and re-raise
as a SRFI-35 &message and &nar-signature-error.
(narinfo-maker): Handle when SIGNATURE is #f or an invalid canonical
sexp.
(&nar-signature-error, &nar-invalid-hash-error): New variables.
(assert-valid-signature): Use them. Expect 'signature' to be a
canonical sexp.
(read-narinfo): Remove authentication and authorization checks.
(%signature-line-rx): New variable.
(assert-valid-narinfo, valid-narinfo?): New procedures.
(guix-substitute-binary): Wrap body in 'with-error-handling'.
[valid?]: New procedure.
<--query>: Show only store items of narinfos that match
'valid-narinfo?'.
<--substitute>: Call 'assert-valid-narinfo'.
* tests/substitute-binary.scm (test-error*): Use 'test-equal'.
(%keypair): Remove.
(%public-key, %private-key): Load from signing-key.{pub,sec}.
(signature-body): Add #:public-key parameter.
(call-with-narinfo): New procedure.
(with-narinfo): New macro.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Make the first argument to 'assert-valid-signature' a
canonical sexp.
("invalid hash", "valid read-narinfo", "valid write-narinfo"):
Remove.
("query narinfo with invalid hash", "query narinfo signed with
authorized key", "query narinfo signed with unauthorized key",
"substitute, invalid hash", "substitute, unauthorized key"): New
tests.
2014-03-30 22:29:35 +02:00
|
|
|
|
#:use-module (rnrs io ports)
|
|
|
|
|
|
#:use-module (web uri)
|
tests: Simplify 'substitute-binary' tests; reduce use of global variables.
* tests/substitute-binary.scm (signature-body): Change 'str' parameter
to 'bv', and expect it to be a bytevector.
(%signature-body, %wrong-signature, %acl): Remove.
(signature): Rename to...
(signature-field): ... this. Add 'bv-or-str' parameter. Change 'str'
parameter to #:version. Add #:public-key parameter. Call
'signature-body' directly. Change domain part of the signature to
'example.gnu.org'.
("not a number", "wrong version number", "valid
narinfo-signature->canonical-sexp"): Use 'signature-field' instead of
'signature' or %SIGNATURE.
(test-error-condition): Add 'message-rx' parameter and honor it.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Adjust accordingly.
(narinfo, %signed-narinfo): Remove.
("query narinfo with invalid hash"): Use '%narinfo' and
'signature-field' instead of 'narinfo' and '%signature'.
("query narinfo signed with authorized key", "query narinfo signed
with unauthorized key", "substitute, invalid hash", "substitute,
unauthorized key"): Likewise.
2014-03-30 21:35:22 +02:00
|
|
|
|
#:use-module (ice-9 regex)
|
substitute-binary: Defer narinfo authentication and authorization checks.
* guix/scripts/substitute-binary.scm (narinfo-signature->canonical-sexp):
Catch 'gcry-error' around 'string->canonical-sexp' call, and re-raise
as a SRFI-35 &message and &nar-signature-error.
(narinfo-maker): Handle when SIGNATURE is #f or an invalid canonical
sexp.
(&nar-signature-error, &nar-invalid-hash-error): New variables.
(assert-valid-signature): Use them. Expect 'signature' to be a
canonical sexp.
(read-narinfo): Remove authentication and authorization checks.
(%signature-line-rx): New variable.
(assert-valid-narinfo, valid-narinfo?): New procedures.
(guix-substitute-binary): Wrap body in 'with-error-handling'.
[valid?]: New procedure.
<--query>: Show only store items of narinfos that match
'valid-narinfo?'.
<--substitute>: Call 'assert-valid-narinfo'.
* tests/substitute-binary.scm (test-error*): Use 'test-equal'.
(%keypair): Remove.
(%public-key, %private-key): Load from signing-key.{pub,sec}.
(signature-body): Add #:public-key parameter.
(call-with-narinfo): New procedure.
(with-narinfo): New macro.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Make the first argument to 'assert-valid-signature' a
canonical sexp.
("invalid hash", "valid read-narinfo", "valid write-narinfo"):
Remove.
("query narinfo with invalid hash", "query narinfo signed with
authorized key", "query narinfo signed with unauthorized key",
"substitute, invalid hash", "substitute, unauthorized key"): New
tests.
2014-03-30 22:29:35 +02:00
|
|
|
|
#:use-module (srfi srfi-26)
|
2014-03-29 00:06:41 +01:00
|
|
|
|
#:use-module (srfi srfi-34)
|
tests: Simplify 'substitute-binary' tests; reduce use of global variables.
* tests/substitute-binary.scm (signature-body): Change 'str' parameter
to 'bv', and expect it to be a bytevector.
(%signature-body, %wrong-signature, %acl): Remove.
(signature): Rename to...
(signature-field): ... this. Add 'bv-or-str' parameter. Change 'str'
parameter to #:version. Add #:public-key parameter. Call
'signature-body' directly. Change domain part of the signature to
'example.gnu.org'.
("not a number", "wrong version number", "valid
narinfo-signature->canonical-sexp"): Use 'signature-field' instead of
'signature' or %SIGNATURE.
(test-error-condition): Add 'message-rx' parameter and honor it.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Adjust accordingly.
(narinfo, %signed-narinfo): Remove.
("query narinfo with invalid hash"): Use '%narinfo' and
'signature-field' instead of 'narinfo' and '%signature'.
("query narinfo signed with authorized key", "query narinfo signed
with unauthorized key", "substitute, invalid hash", "substitute,
unauthorized key"): Likewise.
2014-03-30 21:35:22 +02:00
|
|
|
|
#:use-module (srfi srfi-35)
|
2014-03-29 00:06:41 +01:00
|
|
|
|
#:use-module ((srfi srfi-64) #:hide (test-error)))
|
|
|
|
|
|
|
2014-03-30 22:25:47 +02:00
|
|
|
|
(define-syntax-rule (test-quit name error-rx exp)
|
|
|
|
|
|
"Emit a test that passes when EXP throws to 'quit' with value 1, and when
|
|
|
|
|
|
it writes to GUIX-WARNING-PORT a messages that matches ERROR-RX."
|
substitute-binary: Defer narinfo authentication and authorization checks.
* guix/scripts/substitute-binary.scm (narinfo-signature->canonical-sexp):
Catch 'gcry-error' around 'string->canonical-sexp' call, and re-raise
as a SRFI-35 &message and &nar-signature-error.
(narinfo-maker): Handle when SIGNATURE is #f or an invalid canonical
sexp.
(&nar-signature-error, &nar-invalid-hash-error): New variables.
(assert-valid-signature): Use them. Expect 'signature' to be a
canonical sexp.
(read-narinfo): Remove authentication and authorization checks.
(%signature-line-rx): New variable.
(assert-valid-narinfo, valid-narinfo?): New procedures.
(guix-substitute-binary): Wrap body in 'with-error-handling'.
[valid?]: New procedure.
<--query>: Show only store items of narinfos that match
'valid-narinfo?'.
<--substitute>: Call 'assert-valid-narinfo'.
* tests/substitute-binary.scm (test-error*): Use 'test-equal'.
(%keypair): Remove.
(%public-key, %private-key): Load from signing-key.{pub,sec}.
(signature-body): Add #:public-key parameter.
(call-with-narinfo): New procedure.
(with-narinfo): New macro.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Make the first argument to 'assert-valid-signature' a
canonical sexp.
("invalid hash", "valid read-narinfo", "valid write-narinfo"):
Remove.
("query narinfo with invalid hash", "query narinfo signed with
authorized key", "query narinfo signed with unauthorized key",
"substitute, invalid hash", "substitute, unauthorized key"): New
tests.
2014-03-30 22:29:35 +02:00
|
|
|
|
(test-equal name
|
2014-03-30 22:25:47 +02:00
|
|
|
|
'(1 #t)
|
|
|
|
|
|
(let ((error-output (open-output-string)))
|
|
|
|
|
|
(parameterize ((guix-warning-port error-output))
|
|
|
|
|
|
(catch 'quit
|
|
|
|
|
|
(lambda ()
|
|
|
|
|
|
exp
|
|
|
|
|
|
#f)
|
|
|
|
|
|
(lambda (key value)
|
|
|
|
|
|
(list value
|
|
|
|
|
|
(let ((message (get-output-string error-output)))
|
|
|
|
|
|
(->bool (string-match error-rx message))))))))))
|
2014-03-29 00:06:41 +01:00
|
|
|
|
|
|
|
|
|
|
(define %public-key
|
substitute-binary: Defer narinfo authentication and authorization checks.
* guix/scripts/substitute-binary.scm (narinfo-signature->canonical-sexp):
Catch 'gcry-error' around 'string->canonical-sexp' call, and re-raise
as a SRFI-35 &message and &nar-signature-error.
(narinfo-maker): Handle when SIGNATURE is #f or an invalid canonical
sexp.
(&nar-signature-error, &nar-invalid-hash-error): New variables.
(assert-valid-signature): Use them. Expect 'signature' to be a
canonical sexp.
(read-narinfo): Remove authentication and authorization checks.
(%signature-line-rx): New variable.
(assert-valid-narinfo, valid-narinfo?): New procedures.
(guix-substitute-binary): Wrap body in 'with-error-handling'.
[valid?]: New procedure.
<--query>: Show only store items of narinfos that match
'valid-narinfo?'.
<--substitute>: Call 'assert-valid-narinfo'.
* tests/substitute-binary.scm (test-error*): Use 'test-equal'.
(%keypair): Remove.
(%public-key, %private-key): Load from signing-key.{pub,sec}.
(signature-body): Add #:public-key parameter.
(call-with-narinfo): New procedure.
(with-narinfo): New macro.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Make the first argument to 'assert-valid-signature' a
canonical sexp.
("invalid hash", "valid read-narinfo", "valid write-narinfo"):
Remove.
("query narinfo with invalid hash", "query narinfo signed with
authorized key", "query narinfo signed with unauthorized key",
"substitute, invalid hash", "substitute, unauthorized key"): New
tests.
2014-03-30 22:29:35 +02:00
|
|
|
|
;; This key is known to be in the ACL by default.
|
|
|
|
|
|
(call-with-input-file (string-append %config-directory "/signing-key.pub")
|
|
|
|
|
|
(compose string->canonical-sexp get-string-all)))
|
2014-03-29 00:06:41 +01:00
|
|
|
|
|
|
|
|
|
|
(define %private-key
|
substitute-binary: Defer narinfo authentication and authorization checks.
* guix/scripts/substitute-binary.scm (narinfo-signature->canonical-sexp):
Catch 'gcry-error' around 'string->canonical-sexp' call, and re-raise
as a SRFI-35 &message and &nar-signature-error.
(narinfo-maker): Handle when SIGNATURE is #f or an invalid canonical
sexp.
(&nar-signature-error, &nar-invalid-hash-error): New variables.
(assert-valid-signature): Use them. Expect 'signature' to be a
canonical sexp.
(read-narinfo): Remove authentication and authorization checks.
(%signature-line-rx): New variable.
(assert-valid-narinfo, valid-narinfo?): New procedures.
(guix-substitute-binary): Wrap body in 'with-error-handling'.
[valid?]: New procedure.
<--query>: Show only store items of narinfos that match
'valid-narinfo?'.
<--substitute>: Call 'assert-valid-narinfo'.
* tests/substitute-binary.scm (test-error*): Use 'test-equal'.
(%keypair): Remove.
(%public-key, %private-key): Load from signing-key.{pub,sec}.
(signature-body): Add #:public-key parameter.
(call-with-narinfo): New procedure.
(with-narinfo): New macro.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Make the first argument to 'assert-valid-signature' a
canonical sexp.
("invalid hash", "valid read-narinfo", "valid write-narinfo"):
Remove.
("query narinfo with invalid hash", "query narinfo signed with
authorized key", "query narinfo signed with unauthorized key",
"substitute, invalid hash", "substitute, unauthorized key"): New
tests.
2014-03-30 22:29:35 +02:00
|
|
|
|
(call-with-input-file (string-append %config-directory "/signing-key.sec")
|
|
|
|
|
|
(compose string->canonical-sexp get-string-all)))
|
2014-03-29 00:06:41 +01:00
|
|
|
|
|
tests: Simplify 'substitute-binary' tests; reduce use of global variables.
* tests/substitute-binary.scm (signature-body): Change 'str' parameter
to 'bv', and expect it to be a bytevector.
(%signature-body, %wrong-signature, %acl): Remove.
(signature): Rename to...
(signature-field): ... this. Add 'bv-or-str' parameter. Change 'str'
parameter to #:version. Add #:public-key parameter. Call
'signature-body' directly. Change domain part of the signature to
'example.gnu.org'.
("not a number", "wrong version number", "valid
narinfo-signature->canonical-sexp"): Use 'signature-field' instead of
'signature' or %SIGNATURE.
(test-error-condition): Add 'message-rx' parameter and honor it.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Adjust accordingly.
(narinfo, %signed-narinfo): Remove.
("query narinfo with invalid hash"): Use '%narinfo' and
'signature-field' instead of 'narinfo' and '%signature'.
("query narinfo signed with authorized key", "query narinfo signed
with unauthorized key", "substitute, invalid hash", "substitute,
unauthorized key"): Likewise.
2014-03-30 21:35:22 +02:00
|
|
|
|
(define* (signature-body bv #:key (public-key %public-key))
|
|
|
|
|
|
"Return the signature of BV as the base64-encoded body of a narinfo's
|
substitute-binary: Defer narinfo authentication and authorization checks.
* guix/scripts/substitute-binary.scm (narinfo-signature->canonical-sexp):
Catch 'gcry-error' around 'string->canonical-sexp' call, and re-raise
as a SRFI-35 &message and &nar-signature-error.
(narinfo-maker): Handle when SIGNATURE is #f or an invalid canonical
sexp.
(&nar-signature-error, &nar-invalid-hash-error): New variables.
(assert-valid-signature): Use them. Expect 'signature' to be a
canonical sexp.
(read-narinfo): Remove authentication and authorization checks.
(%signature-line-rx): New variable.
(assert-valid-narinfo, valid-narinfo?): New procedures.
(guix-substitute-binary): Wrap body in 'with-error-handling'.
[valid?]: New procedure.
<--query>: Show only store items of narinfos that match
'valid-narinfo?'.
<--substitute>: Call 'assert-valid-narinfo'.
* tests/substitute-binary.scm (test-error*): Use 'test-equal'.
(%keypair): Remove.
(%public-key, %private-key): Load from signing-key.{pub,sec}.
(signature-body): Add #:public-key parameter.
(call-with-narinfo): New procedure.
(with-narinfo): New macro.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Make the first argument to 'assert-valid-signature' a
canonical sexp.
("invalid hash", "valid read-narinfo", "valid write-narinfo"):
Remove.
("query narinfo with invalid hash", "query narinfo signed with
authorized key", "query narinfo signed with unauthorized key",
"substitute, invalid hash", "substitute, unauthorized key"): New
tests.
2014-03-30 22:29:35 +02:00
|
|
|
|
'Signature' field."
|
2014-03-29 00:06:41 +01:00
|
|
|
|
(base64-encode
|
|
|
|
|
|
(string->utf8
|
|
|
|
|
|
(canonical-sexp->string
|
tests: Simplify 'substitute-binary' tests; reduce use of global variables.
* tests/substitute-binary.scm (signature-body): Change 'str' parameter
to 'bv', and expect it to be a bytevector.
(%signature-body, %wrong-signature, %acl): Remove.
(signature): Rename to...
(signature-field): ... this. Add 'bv-or-str' parameter. Change 'str'
parameter to #:version. Add #:public-key parameter. Call
'signature-body' directly. Change domain part of the signature to
'example.gnu.org'.
("not a number", "wrong version number", "valid
narinfo-signature->canonical-sexp"): Use 'signature-field' instead of
'signature' or %SIGNATURE.
(test-error-condition): Add 'message-rx' parameter and honor it.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Adjust accordingly.
(narinfo, %signed-narinfo): Remove.
("query narinfo with invalid hash"): Use '%narinfo' and
'signature-field' instead of 'narinfo' and '%signature'.
("query narinfo signed with authorized key", "query narinfo signed
with unauthorized key", "substitute, invalid hash", "substitute,
unauthorized key"): Likewise.
2014-03-30 21:35:22 +02:00
|
|
|
|
(signature-sexp (bytevector->hash-data (sha256 bv)
|
2014-03-29 00:06:41 +01:00
|
|
|
|
#:key-type 'rsa)
|
|
|
|
|
|
%private-key
|
substitute-binary: Defer narinfo authentication and authorization checks.
* guix/scripts/substitute-binary.scm (narinfo-signature->canonical-sexp):
Catch 'gcry-error' around 'string->canonical-sexp' call, and re-raise
as a SRFI-35 &message and &nar-signature-error.
(narinfo-maker): Handle when SIGNATURE is #f or an invalid canonical
sexp.
(&nar-signature-error, &nar-invalid-hash-error): New variables.
(assert-valid-signature): Use them. Expect 'signature' to be a
canonical sexp.
(read-narinfo): Remove authentication and authorization checks.
(%signature-line-rx): New variable.
(assert-valid-narinfo, valid-narinfo?): New procedures.
(guix-substitute-binary): Wrap body in 'with-error-handling'.
[valid?]: New procedure.
<--query>: Show only store items of narinfos that match
'valid-narinfo?'.
<--substitute>: Call 'assert-valid-narinfo'.
* tests/substitute-binary.scm (test-error*): Use 'test-equal'.
(%keypair): Remove.
(%public-key, %private-key): Load from signing-key.{pub,sec}.
(signature-body): Add #:public-key parameter.
(call-with-narinfo): New procedure.
(with-narinfo): New macro.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Make the first argument to 'assert-valid-signature' a
canonical sexp.
("invalid hash", "valid read-narinfo", "valid write-narinfo"):
Remove.
("query narinfo with invalid hash", "query narinfo signed with
authorized key", "query narinfo signed with unauthorized key",
"substitute, invalid hash", "substitute, unauthorized key"): New
tests.
2014-03-30 22:29:35 +02:00
|
|
|
|
public-key)))))
|
2014-03-29 00:06:41 +01:00
|
|
|
|
|
|
|
|
|
|
(define %wrong-public-key
|
|
|
|
|
|
(string->canonical-sexp "(public-key
|
|
|
|
|
|
(rsa
|
|
|
|
|
|
(n #00E05873AC2B168760343145918E954EE9AB73C026355693B192E01EE835261AA689E9EF46642E895BCD65C648524059FC450E4BA77A68F4C52D0E39EF0CC9359709AB6AAB153B63782201871325B0FDA19CB401CD99FD0C31A91CA9000AA90A77E82B89E036FB63BC1D3961207469B3B12468977148D376F8012BB12A4B11A8F1#)
|
|
|
|
|
|
(e #010001#)
|
|
|
|
|
|
)
|
|
|
|
|
|
)"))
|
|
|
|
|
|
|
tests: Simplify 'substitute-binary' tests; reduce use of global variables.
* tests/substitute-binary.scm (signature-body): Change 'str' parameter
to 'bv', and expect it to be a bytevector.
(%signature-body, %wrong-signature, %acl): Remove.
(signature): Rename to...
(signature-field): ... this. Add 'bv-or-str' parameter. Change 'str'
parameter to #:version. Add #:public-key parameter. Call
'signature-body' directly. Change domain part of the signature to
'example.gnu.org'.
("not a number", "wrong version number", "valid
narinfo-signature->canonical-sexp"): Use 'signature-field' instead of
'signature' or %SIGNATURE.
(test-error-condition): Add 'message-rx' parameter and honor it.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Adjust accordingly.
(narinfo, %signed-narinfo): Remove.
("query narinfo with invalid hash"): Use '%narinfo' and
'signature-field' instead of 'narinfo' and '%signature'.
("query narinfo signed with authorized key", "query narinfo signed
with unauthorized key", "substitute, invalid hash", "substitute,
unauthorized key"): Likewise.
2014-03-30 21:35:22 +02:00
|
|
|
|
(define* (signature-field bv-or-str
|
|
|
|
|
|
#:key (version "1") (public-key %public-key))
|
|
|
|
|
|
"Return the 'Signature' field value of bytevector/string BV-OR-STR, using
|
|
|
|
|
|
PUBLIC-KEY as the signature's principal, and using VERSION as the signature
|
|
|
|
|
|
version identifier.."
|
|
|
|
|
|
(string-append version ";example.gnu.org;"
|
|
|
|
|
|
(signature-body (if (string? bv-or-str)
|
|
|
|
|
|
(string->utf8 bv-or-str)
|
|
|
|
|
|
bv-or-str)
|
|
|
|
|
|
#:public-key public-key)))
|
|
|
|
|
|
|
2014-03-29 00:06:41 +01:00
|
|
|
|
|
substitute-binary: Defer narinfo authentication and authorization checks.
* guix/scripts/substitute-binary.scm (narinfo-signature->canonical-sexp):
Catch 'gcry-error' around 'string->canonical-sexp' call, and re-raise
as a SRFI-35 &message and &nar-signature-error.
(narinfo-maker): Handle when SIGNATURE is #f or an invalid canonical
sexp.
(&nar-signature-error, &nar-invalid-hash-error): New variables.
(assert-valid-signature): Use them. Expect 'signature' to be a
canonical sexp.
(read-narinfo): Remove authentication and authorization checks.
(%signature-line-rx): New variable.
(assert-valid-narinfo, valid-narinfo?): New procedures.
(guix-substitute-binary): Wrap body in 'with-error-handling'.
[valid?]: New procedure.
<--query>: Show only store items of narinfos that match
'valid-narinfo?'.
<--substitute>: Call 'assert-valid-narinfo'.
* tests/substitute-binary.scm (test-error*): Use 'test-equal'.
(%keypair): Remove.
(%public-key, %private-key): Load from signing-key.{pub,sec}.
(signature-body): Add #:public-key parameter.
(call-with-narinfo): New procedure.
(with-narinfo): New macro.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Make the first argument to 'assert-valid-signature' a
canonical sexp.
("invalid hash", "valid read-narinfo", "valid write-narinfo"):
Remove.
("query narinfo with invalid hash", "query narinfo signed with
authorized key", "query narinfo signed with unauthorized key",
"substitute, invalid hash", "substitute, unauthorized key"): New
tests.
2014-03-30 22:29:35 +02:00
|
|
|
|
�
|
2015-03-25 10:34:27 +01:00
|
|
|
|
(test-begin "substitute")
|
2014-03-29 00:06:41 +01:00
|
|
|
|
|
2014-03-30 22:25:47 +02:00
|
|
|
|
(test-quit "not a number"
|
|
|
|
|
|
"signature version"
|
tests: Simplify 'substitute-binary' tests; reduce use of global variables.
* tests/substitute-binary.scm (signature-body): Change 'str' parameter
to 'bv', and expect it to be a bytevector.
(%signature-body, %wrong-signature, %acl): Remove.
(signature): Rename to...
(signature-field): ... this. Add 'bv-or-str' parameter. Change 'str'
parameter to #:version. Add #:public-key parameter. Call
'signature-body' directly. Change domain part of the signature to
'example.gnu.org'.
("not a number", "wrong version number", "valid
narinfo-signature->canonical-sexp"): Use 'signature-field' instead of
'signature' or %SIGNATURE.
(test-error-condition): Add 'message-rx' parameter and honor it.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Adjust accordingly.
(narinfo, %signed-narinfo): Remove.
("query narinfo with invalid hash"): Use '%narinfo' and
'signature-field' instead of 'narinfo' and '%signature'.
("query narinfo signed with authorized key", "query narinfo signed
with unauthorized key", "substitute, invalid hash", "substitute,
unauthorized key"): Likewise.
2014-03-30 21:35:22 +02:00
|
|
|
|
(narinfo-signature->canonical-sexp
|
|
|
|
|
|
(signature-field "foo" #:version "not a number")))
|
2014-03-29 00:06:41 +01:00
|
|
|
|
|
2014-03-30 22:25:47 +02:00
|
|
|
|
(test-quit "wrong version number"
|
|
|
|
|
|
"unsupported.*version"
|
tests: Simplify 'substitute-binary' tests; reduce use of global variables.
* tests/substitute-binary.scm (signature-body): Change 'str' parameter
to 'bv', and expect it to be a bytevector.
(%signature-body, %wrong-signature, %acl): Remove.
(signature): Rename to...
(signature-field): ... this. Add 'bv-or-str' parameter. Change 'str'
parameter to #:version. Add #:public-key parameter. Call
'signature-body' directly. Change domain part of the signature to
'example.gnu.org'.
("not a number", "wrong version number", "valid
narinfo-signature->canonical-sexp"): Use 'signature-field' instead of
'signature' or %SIGNATURE.
(test-error-condition): Add 'message-rx' parameter and honor it.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Adjust accordingly.
(narinfo, %signed-narinfo): Remove.
("query narinfo with invalid hash"): Use '%narinfo' and
'signature-field' instead of 'narinfo' and '%signature'.
("query narinfo signed with authorized key", "query narinfo signed
with unauthorized key", "substitute, invalid hash", "substitute,
unauthorized key"): Likewise.
2014-03-30 21:35:22 +02:00
|
|
|
|
(narinfo-signature->canonical-sexp
|
|
|
|
|
|
(signature-field "foo" #:version "2")))
|
2014-03-29 00:06:41 +01:00
|
|
|
|
|
|
|
|
|
|
(test-assert "valid narinfo-signature->canonical-sexp"
|
tests: Simplify 'substitute-binary' tests; reduce use of global variables.
* tests/substitute-binary.scm (signature-body): Change 'str' parameter
to 'bv', and expect it to be a bytevector.
(%signature-body, %wrong-signature, %acl): Remove.
(signature): Rename to...
(signature-field): ... this. Add 'bv-or-str' parameter. Change 'str'
parameter to #:version. Add #:public-key parameter. Call
'signature-body' directly. Change domain part of the signature to
'example.gnu.org'.
("not a number", "wrong version number", "valid
narinfo-signature->canonical-sexp"): Use 'signature-field' instead of
'signature' or %SIGNATURE.
(test-error-condition): Add 'message-rx' parameter and honor it.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Adjust accordingly.
(narinfo, %signed-narinfo): Remove.
("query narinfo with invalid hash"): Use '%narinfo' and
'signature-field' instead of 'narinfo' and '%signature'.
("query narinfo signed with authorized key", "query narinfo signed
with unauthorized key", "substitute, invalid hash", "substitute,
unauthorized key"): Likewise.
2014-03-30 21:35:22 +02:00
|
|
|
|
(canonical-sexp? (narinfo-signature->canonical-sexp (signature-field "foo"))))
|
2014-03-29 00:06:41 +01:00
|
|
|
|
|
|
|
|
|
|
|
substitute-binary: Defer narinfo authentication and authorization checks.
* guix/scripts/substitute-binary.scm (narinfo-signature->canonical-sexp):
Catch 'gcry-error' around 'string->canonical-sexp' call, and re-raise
as a SRFI-35 &message and &nar-signature-error.
(narinfo-maker): Handle when SIGNATURE is #f or an invalid canonical
sexp.
(&nar-signature-error, &nar-invalid-hash-error): New variables.
(assert-valid-signature): Use them. Expect 'signature' to be a
canonical sexp.
(read-narinfo): Remove authentication and authorization checks.
(%signature-line-rx): New variable.
(assert-valid-narinfo, valid-narinfo?): New procedures.
(guix-substitute-binary): Wrap body in 'with-error-handling'.
[valid?]: New procedure.
<--query>: Show only store items of narinfos that match
'valid-narinfo?'.
<--substitute>: Call 'assert-valid-narinfo'.
* tests/substitute-binary.scm (test-error*): Use 'test-equal'.
(%keypair): Remove.
(%public-key, %private-key): Load from signing-key.{pub,sec}.
(signature-body): Add #:public-key parameter.
(call-with-narinfo): New procedure.
(with-narinfo): New macro.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Make the first argument to 'assert-valid-signature' a
canonical sexp.
("invalid hash", "valid read-narinfo", "valid write-narinfo"):
Remove.
("query narinfo with invalid hash", "query narinfo signed with
authorized key", "query narinfo signed with unauthorized key",
"substitute, invalid hash", "substitute, unauthorized key"): New
tests.
2014-03-30 22:29:35 +02:00
|
|
|
|
�
|
substitute: Download from unauthorized sources that provide the right content.
This allows substitutes to be downloaded from unauthorized servers, as
long as they advertise the same hash and references as one of the
authorized servers.
* guix/scripts/substitute.scm (assert-valid-narinfo): Remove.
(valid-narinfo?): Add #:verbose?. Handle each case of
'signature-case'.
(equivalent-narinfo?): New procedure.
(lookup-narinfos/diverse): Add 'authorized?' parameter and honor it.
[select-hit]: New procedure.
(lookup-narinfo): Add 'authorized?' parameter and pass it.
(process-query): Adjust callers accordingly.
(process-substitution): Remove call to 'assert-valid-narinfo'. Check
whether 'lookup-narinfo' returns true and call 'leave' if not.
* tests/substitute.scm (%main-substitute-directory)
(%alternate-substitute-directory): New variables.
(call-with-narinfo): Make 'narinfo-directory' a parameter. Call
'mkdir-p' to create it. Change unwind handler to check whether
CACHE-DIRECTORY exists before deleting it.
(with-narinfo*): New macro.
("substitute, no signature")
("substitute, invalid hash")
("substitute, unauthorized key"): Change expected error message to "no
valid substitute".
("substitute, unauthorized narinfo comes first")
("substitute, unsigned narinfo comes first")
("substitute, first narinfo is unsigned and has wrong hash")
("substitute, first narinfo is unsigned and has wrong refs")
("substitute, unsigned narinfo comes first")
("substitute, two invalid narinfos"): New tests.
* doc/guix.texi (Substitutes): Explain the new behavior.
2017-09-01 00:15:31 +02:00
|
|
|
|
(define %main-substitute-directory
|
|
|
|
|
|
;; The place where 'call-with-narinfo' stores its data by default.
|
|
|
|
|
|
(uri-path (string->uri (getenv "GUIX_BINARY_SUBSTITUTE_URL"))))
|
|
|
|
|
|
|
|
|
|
|
|
(define %alternate-substitute-directory
|
|
|
|
|
|
;; Another place.
|
|
|
|
|
|
(string-append (dirname %main-substitute-directory)
|
|
|
|
|
|
"/substituter-alt-data"))
|
|
|
|
|
|
|
2014-03-29 00:06:41 +01:00
|
|
|
|
(define %narinfo
|
tests: Simplify 'substitute-binary' tests; reduce use of global variables.
* tests/substitute-binary.scm (signature-body): Change 'str' parameter
to 'bv', and expect it to be a bytevector.
(%signature-body, %wrong-signature, %acl): Remove.
(signature): Rename to...
(signature-field): ... this. Add 'bv-or-str' parameter. Change 'str'
parameter to #:version. Add #:public-key parameter. Call
'signature-body' directly. Change domain part of the signature to
'example.gnu.org'.
("not a number", "wrong version number", "valid
narinfo-signature->canonical-sexp"): Use 'signature-field' instead of
'signature' or %SIGNATURE.
(test-error-condition): Add 'message-rx' parameter and honor it.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Adjust accordingly.
(narinfo, %signed-narinfo): Remove.
("query narinfo with invalid hash"): Use '%narinfo' and
'signature-field' instead of 'narinfo' and '%signature'.
("query narinfo signed with authorized key", "query narinfo signed
with unauthorized key", "substitute, invalid hash", "substitute,
unauthorized key"): Likewise.
2014-03-30 21:35:22 +02:00
|
|
|
|
;; Skeleton of the narinfo used below.
|
substitute-binary: Defer narinfo authentication and authorization checks.
* guix/scripts/substitute-binary.scm (narinfo-signature->canonical-sexp):
Catch 'gcry-error' around 'string->canonical-sexp' call, and re-raise
as a SRFI-35 &message and &nar-signature-error.
(narinfo-maker): Handle when SIGNATURE is #f or an invalid canonical
sexp.
(&nar-signature-error, &nar-invalid-hash-error): New variables.
(assert-valid-signature): Use them. Expect 'signature' to be a
canonical sexp.
(read-narinfo): Remove authentication and authorization checks.
(%signature-line-rx): New variable.
(assert-valid-narinfo, valid-narinfo?): New procedures.
(guix-substitute-binary): Wrap body in 'with-error-handling'.
[valid?]: New procedure.
<--query>: Show only store items of narinfos that match
'valid-narinfo?'.
<--substitute>: Call 'assert-valid-narinfo'.
* tests/substitute-binary.scm (test-error*): Use 'test-equal'.
(%keypair): Remove.
(%public-key, %private-key): Load from signing-key.{pub,sec}.
(signature-body): Add #:public-key parameter.
(call-with-narinfo): New procedure.
(with-narinfo): New macro.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Make the first argument to 'assert-valid-signature' a
canonical sexp.
("invalid hash", "valid read-narinfo", "valid write-narinfo"):
Remove.
("query narinfo with invalid hash", "query narinfo signed with
authorized key", "query narinfo signed with unauthorized key",
"substitute, invalid hash", "substitute, unauthorized key"): New
tests.
2014-03-30 22:29:35 +02:00
|
|
|
|
(string-append "StorePath: " (%store-prefix)
|
|
|
|
|
|
"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo
|
2014-03-30 22:11:22 +02:00
|
|
|
|
URL: example.nar
|
|
|
|
|
|
Compression: none
|
|
|
|
|
|
NarHash: sha256:" (bytevector->nix-base32-string
|
|
|
|
|
|
(sha256 (string->utf8 "Substitutable data."))) "
|
2014-03-29 00:06:41 +01:00
|
|
|
|
NarSize: 42
|
|
|
|
|
|
References: bar baz
|
substitute-binary: Defer narinfo authentication and authorization checks.
* guix/scripts/substitute-binary.scm (narinfo-signature->canonical-sexp):
Catch 'gcry-error' around 'string->canonical-sexp' call, and re-raise
as a SRFI-35 &message and &nar-signature-error.
(narinfo-maker): Handle when SIGNATURE is #f or an invalid canonical
sexp.
(&nar-signature-error, &nar-invalid-hash-error): New variables.
(assert-valid-signature): Use them. Expect 'signature' to be a
canonical sexp.
(read-narinfo): Remove authentication and authorization checks.
(%signature-line-rx): New variable.
(assert-valid-narinfo, valid-narinfo?): New procedures.
(guix-substitute-binary): Wrap body in 'with-error-handling'.
[valid?]: New procedure.
<--query>: Show only store items of narinfos that match
'valid-narinfo?'.
<--substitute>: Call 'assert-valid-narinfo'.
* tests/substitute-binary.scm (test-error*): Use 'test-equal'.
(%keypair): Remove.
(%public-key, %private-key): Load from signing-key.{pub,sec}.
(signature-body): Add #:public-key parameter.
(call-with-narinfo): New procedure.
(with-narinfo): New macro.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Make the first argument to 'assert-valid-signature' a
canonical sexp.
("invalid hash", "valid read-narinfo", "valid write-narinfo"):
Remove.
("query narinfo with invalid hash", "query narinfo signed with
authorized key", "query narinfo signed with unauthorized key",
"substitute, invalid hash", "substitute, unauthorized key"): New
tests.
2014-03-30 22:29:35 +02:00
|
|
|
|
Deriver: " (%store-prefix) "/foo.drv
|
|
|
|
|
|
System: mips64el-linux\n"))
|
2014-03-29 00:06:41 +01:00
|
|
|
|
|
substitute: Download from unauthorized sources that provide the right content.
This allows substitutes to be downloaded from unauthorized servers, as
long as they advertise the same hash and references as one of the
authorized servers.
* guix/scripts/substitute.scm (assert-valid-narinfo): Remove.
(valid-narinfo?): Add #:verbose?. Handle each case of
'signature-case'.
(equivalent-narinfo?): New procedure.
(lookup-narinfos/diverse): Add 'authorized?' parameter and honor it.
[select-hit]: New procedure.
(lookup-narinfo): Add 'authorized?' parameter and pass it.
(process-query): Adjust callers accordingly.
(process-substitution): Remove call to 'assert-valid-narinfo'. Check
whether 'lookup-narinfo' returns true and call 'leave' if not.
* tests/substitute.scm (%main-substitute-directory)
(%alternate-substitute-directory): New variables.
(call-with-narinfo): Make 'narinfo-directory' a parameter. Call
'mkdir-p' to create it. Change unwind handler to check whether
CACHE-DIRECTORY exists before deleting it.
(with-narinfo*): New macro.
("substitute, no signature")
("substitute, invalid hash")
("substitute, unauthorized key"): Change expected error message to "no
valid substitute".
("substitute, unauthorized narinfo comes first")
("substitute, unsigned narinfo comes first")
("substitute, first narinfo is unsigned and has wrong hash")
("substitute, first narinfo is unsigned and has wrong refs")
("substitute, unsigned narinfo comes first")
("substitute, two invalid narinfos"): New tests.
* doc/guix.texi (Substitutes): Explain the new behavior.
2017-09-01 00:15:31 +02:00
|
|
|
|
(define* (call-with-narinfo narinfo thunk
|
|
|
|
|
|
#:optional
|
|
|
|
|
|
(narinfo-directory %main-substitute-directory))
|
|
|
|
|
|
"Call THUNK in a context where the directory at URL is populated with
|
substitute-binary: Defer narinfo authentication and authorization checks.
* guix/scripts/substitute-binary.scm (narinfo-signature->canonical-sexp):
Catch 'gcry-error' around 'string->canonical-sexp' call, and re-raise
as a SRFI-35 &message and &nar-signature-error.
(narinfo-maker): Handle when SIGNATURE is #f or an invalid canonical
sexp.
(&nar-signature-error, &nar-invalid-hash-error): New variables.
(assert-valid-signature): Use them. Expect 'signature' to be a
canonical sexp.
(read-narinfo): Remove authentication and authorization checks.
(%signature-line-rx): New variable.
(assert-valid-narinfo, valid-narinfo?): New procedures.
(guix-substitute-binary): Wrap body in 'with-error-handling'.
[valid?]: New procedure.
<--query>: Show only store items of narinfos that match
'valid-narinfo?'.
<--substitute>: Call 'assert-valid-narinfo'.
* tests/substitute-binary.scm (test-error*): Use 'test-equal'.
(%keypair): Remove.
(%public-key, %private-key): Load from signing-key.{pub,sec}.
(signature-body): Add #:public-key parameter.
(call-with-narinfo): New procedure.
(with-narinfo): New macro.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Make the first argument to 'assert-valid-signature' a
canonical sexp.
("invalid hash", "valid read-narinfo", "valid write-narinfo"):
Remove.
("query narinfo with invalid hash", "query narinfo signed with
authorized key", "query narinfo signed with unauthorized key",
"substitute, invalid hash", "substitute, unauthorized key"): New
tests.
2014-03-30 22:29:35 +02:00
|
|
|
|
a file for NARINFO."
|
substitute: Download from unauthorized sources that provide the right content.
This allows substitutes to be downloaded from unauthorized servers, as
long as they advertise the same hash and references as one of the
authorized servers.
* guix/scripts/substitute.scm (assert-valid-narinfo): Remove.
(valid-narinfo?): Add #:verbose?. Handle each case of
'signature-case'.
(equivalent-narinfo?): New procedure.
(lookup-narinfos/diverse): Add 'authorized?' parameter and honor it.
[select-hit]: New procedure.
(lookup-narinfo): Add 'authorized?' parameter and pass it.
(process-query): Adjust callers accordingly.
(process-substitution): Remove call to 'assert-valid-narinfo'. Check
whether 'lookup-narinfo' returns true and call 'leave' if not.
* tests/substitute.scm (%main-substitute-directory)
(%alternate-substitute-directory): New variables.
(call-with-narinfo): Make 'narinfo-directory' a parameter. Call
'mkdir-p' to create it. Change unwind handler to check whether
CACHE-DIRECTORY exists before deleting it.
(with-narinfo*): New macro.
("substitute, no signature")
("substitute, invalid hash")
("substitute, unauthorized key"): Change expected error message to "no
valid substitute".
("substitute, unauthorized narinfo comes first")
("substitute, unsigned narinfo comes first")
("substitute, first narinfo is unsigned and has wrong hash")
("substitute, first narinfo is unsigned and has wrong refs")
("substitute, unsigned narinfo comes first")
("substitute, two invalid narinfos"): New tests.
* doc/guix.texi (Substitutes): Explain the new behavior.
2017-09-01 00:15:31 +02:00
|
|
|
|
(mkdir-p narinfo-directory)
|
|
|
|
|
|
(let ((cache-directory (string-append (getenv "XDG_CACHE_HOME")
|
|
|
|
|
|
"/guix/substitute/")))
|
substitute-binary: Defer narinfo authentication and authorization checks.
* guix/scripts/substitute-binary.scm (narinfo-signature->canonical-sexp):
Catch 'gcry-error' around 'string->canonical-sexp' call, and re-raise
as a SRFI-35 &message and &nar-signature-error.
(narinfo-maker): Handle when SIGNATURE is #f or an invalid canonical
sexp.
(&nar-signature-error, &nar-invalid-hash-error): New variables.
(assert-valid-signature): Use them. Expect 'signature' to be a
canonical sexp.
(read-narinfo): Remove authentication and authorization checks.
(%signature-line-rx): New variable.
(assert-valid-narinfo, valid-narinfo?): New procedures.
(guix-substitute-binary): Wrap body in 'with-error-handling'.
[valid?]: New procedure.
<--query>: Show only store items of narinfos that match
'valid-narinfo?'.
<--substitute>: Call 'assert-valid-narinfo'.
* tests/substitute-binary.scm (test-error*): Use 'test-equal'.
(%keypair): Remove.
(%public-key, %private-key): Load from signing-key.{pub,sec}.
(signature-body): Add #:public-key parameter.
(call-with-narinfo): New procedure.
(with-narinfo): New macro.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Make the first argument to 'assert-valid-signature' a
canonical sexp.
("invalid hash", "valid read-narinfo", "valid write-narinfo"):
Remove.
("query narinfo with invalid hash", "query narinfo signed with
authorized key", "query narinfo signed with unauthorized key",
"substitute, invalid hash", "substitute, unauthorized key"): New
tests.
2014-03-30 22:29:35 +02:00
|
|
|
|
(dynamic-wind
|
|
|
|
|
|
(lambda ()
|
|
|
|
|
|
(when (file-exists? cache-directory)
|
|
|
|
|
|
(delete-file-recursively cache-directory))
|
|
|
|
|
|
(call-with-output-file (string-append narinfo-directory
|
|
|
|
|
|
"/nix-cache-info")
|
|
|
|
|
|
(lambda (port)
|
|
|
|
|
|
(format port "StoreDir: ~a\nWantMassQuery: 0\n"
|
|
|
|
|
|
(%store-prefix))))
|
|
|
|
|
|
(call-with-output-file (string-append narinfo-directory "/"
|
|
|
|
|
|
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
|
|
|
".narinfo")
|
|
|
|
|
|
(cut display narinfo <>))
|
|
|
|
|
|
|
2014-03-30 22:11:22 +02:00
|
|
|
|
;; Prepare the nar.
|
|
|
|
|
|
(call-with-output-file
|
|
|
|
|
|
(string-append narinfo-directory "/example.out")
|
|
|
|
|
|
(cut display "Substitutable data." <>))
|
|
|
|
|
|
(call-with-output-file
|
|
|
|
|
|
(string-append narinfo-directory "/example.nar")
|
|
|
|
|
|
(cute write-file
|
|
|
|
|
|
(string-append narinfo-directory "/example.out") <>))
|
|
|
|
|
|
|
2015-03-25 10:34:27 +01:00
|
|
|
|
(set! (@@ (guix scripts substitute)
|
substitute-binary: Defer narinfo authentication and authorization checks.
* guix/scripts/substitute-binary.scm (narinfo-signature->canonical-sexp):
Catch 'gcry-error' around 'string->canonical-sexp' call, and re-raise
as a SRFI-35 &message and &nar-signature-error.
(narinfo-maker): Handle when SIGNATURE is #f or an invalid canonical
sexp.
(&nar-signature-error, &nar-invalid-hash-error): New variables.
(assert-valid-signature): Use them. Expect 'signature' to be a
canonical sexp.
(read-narinfo): Remove authentication and authorization checks.
(%signature-line-rx): New variable.
(assert-valid-narinfo, valid-narinfo?): New procedures.
(guix-substitute-binary): Wrap body in 'with-error-handling'.
[valid?]: New procedure.
<--query>: Show only store items of narinfos that match
'valid-narinfo?'.
<--substitute>: Call 'assert-valid-narinfo'.
* tests/substitute-binary.scm (test-error*): Use 'test-equal'.
(%keypair): Remove.
(%public-key, %private-key): Load from signing-key.{pub,sec}.
(signature-body): Add #:public-key parameter.
(call-with-narinfo): New procedure.
(with-narinfo): New macro.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Make the first argument to 'assert-valid-signature' a
canonical sexp.
("invalid hash", "valid read-narinfo", "valid write-narinfo"):
Remove.
("query narinfo with invalid hash", "query narinfo signed with
authorized key", "query narinfo signed with unauthorized key",
"substitute, invalid hash", "substitute, unauthorized key"): New
tests.
2014-03-30 22:29:35 +02:00
|
|
|
|
%allow-unauthenticated-substitutes?)
|
|
|
|
|
|
#f))
|
|
|
|
|
|
thunk
|
|
|
|
|
|
(lambda ()
|
substitute: Download from unauthorized sources that provide the right content.
This allows substitutes to be downloaded from unauthorized servers, as
long as they advertise the same hash and references as one of the
authorized servers.
* guix/scripts/substitute.scm (assert-valid-narinfo): Remove.
(valid-narinfo?): Add #:verbose?. Handle each case of
'signature-case'.
(equivalent-narinfo?): New procedure.
(lookup-narinfos/diverse): Add 'authorized?' parameter and honor it.
[select-hit]: New procedure.
(lookup-narinfo): Add 'authorized?' parameter and pass it.
(process-query): Adjust callers accordingly.
(process-substitution): Remove call to 'assert-valid-narinfo'. Check
whether 'lookup-narinfo' returns true and call 'leave' if not.
* tests/substitute.scm (%main-substitute-directory)
(%alternate-substitute-directory): New variables.
(call-with-narinfo): Make 'narinfo-directory' a parameter. Call
'mkdir-p' to create it. Change unwind handler to check whether
CACHE-DIRECTORY exists before deleting it.
(with-narinfo*): New macro.
("substitute, no signature")
("substitute, invalid hash")
("substitute, unauthorized key"): Change expected error message to "no
valid substitute".
("substitute, unauthorized narinfo comes first")
("substitute, unsigned narinfo comes first")
("substitute, first narinfo is unsigned and has wrong hash")
("substitute, first narinfo is unsigned and has wrong refs")
("substitute, unsigned narinfo comes first")
("substitute, two invalid narinfos"): New tests.
* doc/guix.texi (Substitutes): Explain the new behavior.
2017-09-01 00:15:31 +02:00
|
|
|
|
(when (file-exists? cache-directory)
|
|
|
|
|
|
(delete-file-recursively cache-directory))))))
|
substitute-binary: Defer narinfo authentication and authorization checks.
* guix/scripts/substitute-binary.scm (narinfo-signature->canonical-sexp):
Catch 'gcry-error' around 'string->canonical-sexp' call, and re-raise
as a SRFI-35 &message and &nar-signature-error.
(narinfo-maker): Handle when SIGNATURE is #f or an invalid canonical
sexp.
(&nar-signature-error, &nar-invalid-hash-error): New variables.
(assert-valid-signature): Use them. Expect 'signature' to be a
canonical sexp.
(read-narinfo): Remove authentication and authorization checks.
(%signature-line-rx): New variable.
(assert-valid-narinfo, valid-narinfo?): New procedures.
(guix-substitute-binary): Wrap body in 'with-error-handling'.
[valid?]: New procedure.
<--query>: Show only store items of narinfos that match
'valid-narinfo?'.
<--substitute>: Call 'assert-valid-narinfo'.
* tests/substitute-binary.scm (test-error*): Use 'test-equal'.
(%keypair): Remove.
(%public-key, %private-key): Load from signing-key.{pub,sec}.
(signature-body): Add #:public-key parameter.
(call-with-narinfo): New procedure.
(with-narinfo): New macro.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Make the first argument to 'assert-valid-signature' a
canonical sexp.
("invalid hash", "valid read-narinfo", "valid write-narinfo"):
Remove.
("query narinfo with invalid hash", "query narinfo signed with
authorized key", "query narinfo signed with unauthorized key",
"substitute, invalid hash", "substitute, unauthorized key"): New
tests.
2014-03-30 22:29:35 +02:00
|
|
|
|
|
|
|
|
|
|
(define-syntax-rule (with-narinfo narinfo body ...)
|
|
|
|
|
|
(call-with-narinfo narinfo (lambda () body ...)))
|
|
|
|
|
|
|
substitute: Download from unauthorized sources that provide the right content.
This allows substitutes to be downloaded from unauthorized servers, as
long as they advertise the same hash and references as one of the
authorized servers.
* guix/scripts/substitute.scm (assert-valid-narinfo): Remove.
(valid-narinfo?): Add #:verbose?. Handle each case of
'signature-case'.
(equivalent-narinfo?): New procedure.
(lookup-narinfos/diverse): Add 'authorized?' parameter and honor it.
[select-hit]: New procedure.
(lookup-narinfo): Add 'authorized?' parameter and pass it.
(process-query): Adjust callers accordingly.
(process-substitution): Remove call to 'assert-valid-narinfo'. Check
whether 'lookup-narinfo' returns true and call 'leave' if not.
* tests/substitute.scm (%main-substitute-directory)
(%alternate-substitute-directory): New variables.
(call-with-narinfo): Make 'narinfo-directory' a parameter. Call
'mkdir-p' to create it. Change unwind handler to check whether
CACHE-DIRECTORY exists before deleting it.
(with-narinfo*): New macro.
("substitute, no signature")
("substitute, invalid hash")
("substitute, unauthorized key"): Change expected error message to "no
valid substitute".
("substitute, unauthorized narinfo comes first")
("substitute, unsigned narinfo comes first")
("substitute, first narinfo is unsigned and has wrong hash")
("substitute, first narinfo is unsigned and has wrong refs")
("substitute, unsigned narinfo comes first")
("substitute, two invalid narinfos"): New tests.
* doc/guix.texi (Substitutes): Explain the new behavior.
2017-09-01 00:15:31 +02:00
|
|
|
|
(define-syntax-rule (with-narinfo* narinfo directory body ...)
|
|
|
|
|
|
(call-with-narinfo narinfo (lambda () body ...) directory))
|
|
|
|
|
|
|
2015-03-25 10:34:27 +01:00
|
|
|
|
;; Transmit these options to 'guix substitute'.
|
2017-08-31 23:27:26 +02:00
|
|
|
|
(substitute-urls (list (getenv "GUIX_BINARY_SUBSTITUTE_URL")))
|
substitute-binary: Defer narinfo authentication and authorization checks.
* guix/scripts/substitute-binary.scm (narinfo-signature->canonical-sexp):
Catch 'gcry-error' around 'string->canonical-sexp' call, and re-raise
as a SRFI-35 &message and &nar-signature-error.
(narinfo-maker): Handle when SIGNATURE is #f or an invalid canonical
sexp.
(&nar-signature-error, &nar-invalid-hash-error): New variables.
(assert-valid-signature): Use them. Expect 'signature' to be a
canonical sexp.
(read-narinfo): Remove authentication and authorization checks.
(%signature-line-rx): New variable.
(assert-valid-narinfo, valid-narinfo?): New procedures.
(guix-substitute-binary): Wrap body in 'with-error-handling'.
[valid?]: New procedure.
<--query>: Show only store items of narinfos that match
'valid-narinfo?'.
<--substitute>: Call 'assert-valid-narinfo'.
* tests/substitute-binary.scm (test-error*): Use 'test-equal'.
(%keypair): Remove.
(%public-key, %private-key): Load from signing-key.{pub,sec}.
(signature-body): Add #:public-key parameter.
(call-with-narinfo): New procedure.
(with-narinfo): New macro.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Make the first argument to 'assert-valid-signature' a
canonical sexp.
("invalid hash", "valid read-narinfo", "valid write-narinfo"):
Remove.
("query narinfo with invalid hash", "query narinfo signed with
authorized key", "query narinfo signed with unauthorized key",
"substitute, invalid hash", "substitute, unauthorized key"): New
tests.
2014-03-30 22:29:35 +02:00
|
|
|
|
|
2014-03-30 22:11:22 +02:00
|
|
|
|
(test-equal "query narinfo without signature"
|
|
|
|
|
|
"" ; not substitutable
|
|
|
|
|
|
|
|
|
|
|
|
(with-narinfo %narinfo
|
|
|
|
|
|
(string-trim-both
|
|
|
|
|
|
(with-output-to-string
|
|
|
|
|
|
(lambda ()
|
|
|
|
|
|
(with-input-from-string (string-append "have " (%store-prefix)
|
|
|
|
|
|
"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo")
|
|
|
|
|
|
(lambda ()
|
2015-03-25 10:34:27 +01:00
|
|
|
|
(guix-substitute "--query"))))))))
|
2014-03-30 22:11:22 +02:00
|
|
|
|
|
substitute-binary: Defer narinfo authentication and authorization checks.
* guix/scripts/substitute-binary.scm (narinfo-signature->canonical-sexp):
Catch 'gcry-error' around 'string->canonical-sexp' call, and re-raise
as a SRFI-35 &message and &nar-signature-error.
(narinfo-maker): Handle when SIGNATURE is #f or an invalid canonical
sexp.
(&nar-signature-error, &nar-invalid-hash-error): New variables.
(assert-valid-signature): Use them. Expect 'signature' to be a
canonical sexp.
(read-narinfo): Remove authentication and authorization checks.
(%signature-line-rx): New variable.
(assert-valid-narinfo, valid-narinfo?): New procedures.
(guix-substitute-binary): Wrap body in 'with-error-handling'.
[valid?]: New procedure.
<--query>: Show only store items of narinfos that match
'valid-narinfo?'.
<--substitute>: Call 'assert-valid-narinfo'.
* tests/substitute-binary.scm (test-error*): Use 'test-equal'.
(%keypair): Remove.
(%public-key, %private-key): Load from signing-key.{pub,sec}.
(signature-body): Add #:public-key parameter.
(call-with-narinfo): New procedure.
(with-narinfo): New macro.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Make the first argument to 'assert-valid-signature' a
canonical sexp.
("invalid hash", "valid read-narinfo", "valid write-narinfo"):
Remove.
("query narinfo with invalid hash", "query narinfo signed with
authorized key", "query narinfo signed with unauthorized key",
"substitute, invalid hash", "substitute, unauthorized key"): New
tests.
2014-03-30 22:29:35 +02:00
|
|
|
|
(test-equal "query narinfo with invalid hash"
|
tests: Simplify 'substitute-binary' tests; reduce use of global variables.
* tests/substitute-binary.scm (signature-body): Change 'str' parameter
to 'bv', and expect it to be a bytevector.
(%signature-body, %wrong-signature, %acl): Remove.
(signature): Rename to...
(signature-field): ... this. Add 'bv-or-str' parameter. Change 'str'
parameter to #:version. Add #:public-key parameter. Call
'signature-body' directly. Change domain part of the signature to
'example.gnu.org'.
("not a number", "wrong version number", "valid
narinfo-signature->canonical-sexp"): Use 'signature-field' instead of
'signature' or %SIGNATURE.
(test-error-condition): Add 'message-rx' parameter and honor it.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Adjust accordingly.
(narinfo, %signed-narinfo): Remove.
("query narinfo with invalid hash"): Use '%narinfo' and
'signature-field' instead of 'narinfo' and '%signature'.
("query narinfo signed with authorized key", "query narinfo signed
with unauthorized key", "substitute, invalid hash", "substitute,
unauthorized key"): Likewise.
2014-03-30 21:35:22 +02:00
|
|
|
|
;; The hash in the signature differs from the hash of %NARINFO.
|
substitute-binary: Defer narinfo authentication and authorization checks.
* guix/scripts/substitute-binary.scm (narinfo-signature->canonical-sexp):
Catch 'gcry-error' around 'string->canonical-sexp' call, and re-raise
as a SRFI-35 &message and &nar-signature-error.
(narinfo-maker): Handle when SIGNATURE is #f or an invalid canonical
sexp.
(&nar-signature-error, &nar-invalid-hash-error): New variables.
(assert-valid-signature): Use them. Expect 'signature' to be a
canonical sexp.
(read-narinfo): Remove authentication and authorization checks.
(%signature-line-rx): New variable.
(assert-valid-narinfo, valid-narinfo?): New procedures.
(guix-substitute-binary): Wrap body in 'with-error-handling'.
[valid?]: New procedure.
<--query>: Show only store items of narinfos that match
'valid-narinfo?'.
<--substitute>: Call 'assert-valid-narinfo'.
* tests/substitute-binary.scm (test-error*): Use 'test-equal'.
(%keypair): Remove.
(%public-key, %private-key): Load from signing-key.{pub,sec}.
(signature-body): Add #:public-key parameter.
(call-with-narinfo): New procedure.
(with-narinfo): New macro.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Make the first argument to 'assert-valid-signature' a
canonical sexp.
("invalid hash", "valid read-narinfo", "valid write-narinfo"):
Remove.
("query narinfo with invalid hash", "query narinfo signed with
authorized key", "query narinfo signed with unauthorized key",
"substitute, invalid hash", "substitute, unauthorized key"): New
tests.
2014-03-30 22:29:35 +02:00
|
|
|
|
""
|
|
|
|
|
|
|
tests: Simplify 'substitute-binary' tests; reduce use of global variables.
* tests/substitute-binary.scm (signature-body): Change 'str' parameter
to 'bv', and expect it to be a bytevector.
(%signature-body, %wrong-signature, %acl): Remove.
(signature): Rename to...
(signature-field): ... this. Add 'bv-or-str' parameter. Change 'str'
parameter to #:version. Add #:public-key parameter. Call
'signature-body' directly. Change domain part of the signature to
'example.gnu.org'.
("not a number", "wrong version number", "valid
narinfo-signature->canonical-sexp"): Use 'signature-field' instead of
'signature' or %SIGNATURE.
(test-error-condition): Add 'message-rx' parameter and honor it.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Adjust accordingly.
(narinfo, %signed-narinfo): Remove.
("query narinfo with invalid hash"): Use '%narinfo' and
'signature-field' instead of 'narinfo' and '%signature'.
("query narinfo signed with authorized key", "query narinfo signed
with unauthorized key", "substitute, invalid hash", "substitute,
unauthorized key"): Likewise.
2014-03-30 21:35:22 +02:00
|
|
|
|
(with-narinfo (string-append %narinfo "Signature: "
|
|
|
|
|
|
(signature-field "different body")
|
|
|
|
|
|
"\n")
|
substitute-binary: Defer narinfo authentication and authorization checks.
* guix/scripts/substitute-binary.scm (narinfo-signature->canonical-sexp):
Catch 'gcry-error' around 'string->canonical-sexp' call, and re-raise
as a SRFI-35 &message and &nar-signature-error.
(narinfo-maker): Handle when SIGNATURE is #f or an invalid canonical
sexp.
(&nar-signature-error, &nar-invalid-hash-error): New variables.
(assert-valid-signature): Use them. Expect 'signature' to be a
canonical sexp.
(read-narinfo): Remove authentication and authorization checks.
(%signature-line-rx): New variable.
(assert-valid-narinfo, valid-narinfo?): New procedures.
(guix-substitute-binary): Wrap body in 'with-error-handling'.
[valid?]: New procedure.
<--query>: Show only store items of narinfos that match
'valid-narinfo?'.
<--substitute>: Call 'assert-valid-narinfo'.
* tests/substitute-binary.scm (test-error*): Use 'test-equal'.
(%keypair): Remove.
(%public-key, %private-key): Load from signing-key.{pub,sec}.
(signature-body): Add #:public-key parameter.
(call-with-narinfo): New procedure.
(with-narinfo): New macro.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Make the first argument to 'assert-valid-signature' a
canonical sexp.
("invalid hash", "valid read-narinfo", "valid write-narinfo"):
Remove.
("query narinfo with invalid hash", "query narinfo signed with
authorized key", "query narinfo signed with unauthorized key",
"substitute, invalid hash", "substitute, unauthorized key"): New
tests.
2014-03-30 22:29:35 +02:00
|
|
|
|
(string-trim-both
|
|
|
|
|
|
(with-output-to-string
|
|
|
|
|
|
(lambda ()
|
|
|
|
|
|
(with-input-from-string (string-append "have " (%store-prefix)
|
|
|
|
|
|
"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo")
|
|
|
|
|
|
(lambda ()
|
2015-03-25 10:34:27 +01:00
|
|
|
|
(guix-substitute "--query"))))))))
|
substitute-binary: Defer narinfo authentication and authorization checks.
* guix/scripts/substitute-binary.scm (narinfo-signature->canonical-sexp):
Catch 'gcry-error' around 'string->canonical-sexp' call, and re-raise
as a SRFI-35 &message and &nar-signature-error.
(narinfo-maker): Handle when SIGNATURE is #f or an invalid canonical
sexp.
(&nar-signature-error, &nar-invalid-hash-error): New variables.
(assert-valid-signature): Use them. Expect 'signature' to be a
canonical sexp.
(read-narinfo): Remove authentication and authorization checks.
(%signature-line-rx): New variable.
(assert-valid-narinfo, valid-narinfo?): New procedures.
(guix-substitute-binary): Wrap body in 'with-error-handling'.
[valid?]: New procedure.
<--query>: Show only store items of narinfos that match
'valid-narinfo?'.
<--substitute>: Call 'assert-valid-narinfo'.
* tests/substitute-binary.scm (test-error*): Use 'test-equal'.
(%keypair): Remove.
(%public-key, %private-key): Load from signing-key.{pub,sec}.
(signature-body): Add #:public-key parameter.
(call-with-narinfo): New procedure.
(with-narinfo): New macro.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Make the first argument to 'assert-valid-signature' a
canonical sexp.
("invalid hash", "valid read-narinfo", "valid write-narinfo"):
Remove.
("query narinfo with invalid hash", "query narinfo signed with
authorized key", "query narinfo signed with unauthorized key",
"substitute, invalid hash", "substitute, unauthorized key"): New
tests.
2014-03-30 22:29:35 +02:00
|
|
|
|
|
|
|
|
|
|
(test-equal "query narinfo signed with authorized key"
|
|
|
|
|
|
(string-append (%store-prefix) "/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo")
|
|
|
|
|
|
|
tests: Simplify 'substitute-binary' tests; reduce use of global variables.
* tests/substitute-binary.scm (signature-body): Change 'str' parameter
to 'bv', and expect it to be a bytevector.
(%signature-body, %wrong-signature, %acl): Remove.
(signature): Rename to...
(signature-field): ... this. Add 'bv-or-str' parameter. Change 'str'
parameter to #:version. Add #:public-key parameter. Call
'signature-body' directly. Change domain part of the signature to
'example.gnu.org'.
("not a number", "wrong version number", "valid
narinfo-signature->canonical-sexp"): Use 'signature-field' instead of
'signature' or %SIGNATURE.
(test-error-condition): Add 'message-rx' parameter and honor it.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Adjust accordingly.
(narinfo, %signed-narinfo): Remove.
("query narinfo with invalid hash"): Use '%narinfo' and
'signature-field' instead of 'narinfo' and '%signature'.
("query narinfo signed with authorized key", "query narinfo signed
with unauthorized key", "substitute, invalid hash", "substitute,
unauthorized key"): Likewise.
2014-03-30 21:35:22 +02:00
|
|
|
|
(with-narinfo (string-append %narinfo "Signature: "
|
|
|
|
|
|
(signature-field %narinfo)
|
|
|
|
|
|
"\n")
|
substitute-binary: Defer narinfo authentication and authorization checks.
* guix/scripts/substitute-binary.scm (narinfo-signature->canonical-sexp):
Catch 'gcry-error' around 'string->canonical-sexp' call, and re-raise
as a SRFI-35 &message and &nar-signature-error.
(narinfo-maker): Handle when SIGNATURE is #f or an invalid canonical
sexp.
(&nar-signature-error, &nar-invalid-hash-error): New variables.
(assert-valid-signature): Use them. Expect 'signature' to be a
canonical sexp.
(read-narinfo): Remove authentication and authorization checks.
(%signature-line-rx): New variable.
(assert-valid-narinfo, valid-narinfo?): New procedures.
(guix-substitute-binary): Wrap body in 'with-error-handling'.
[valid?]: New procedure.
<--query>: Show only store items of narinfos that match
'valid-narinfo?'.
<--substitute>: Call 'assert-valid-narinfo'.
* tests/substitute-binary.scm (test-error*): Use 'test-equal'.
(%keypair): Remove.
(%public-key, %private-key): Load from signing-key.{pub,sec}.
(signature-body): Add #:public-key parameter.
(call-with-narinfo): New procedure.
(with-narinfo): New macro.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Make the first argument to 'assert-valid-signature' a
canonical sexp.
("invalid hash", "valid read-narinfo", "valid write-narinfo"):
Remove.
("query narinfo with invalid hash", "query narinfo signed with
authorized key", "query narinfo signed with unauthorized key",
"substitute, invalid hash", "substitute, unauthorized key"): New
tests.
2014-03-30 22:29:35 +02:00
|
|
|
|
(string-trim-both
|
|
|
|
|
|
(with-output-to-string
|
|
|
|
|
|
(lambda ()
|
|
|
|
|
|
(with-input-from-string (string-append "have " (%store-prefix)
|
|
|
|
|
|
"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo")
|
|
|
|
|
|
(lambda ()
|
2015-03-25 10:34:27 +01:00
|
|
|
|
(guix-substitute "--query"))))))))
|
substitute-binary: Defer narinfo authentication and authorization checks.
* guix/scripts/substitute-binary.scm (narinfo-signature->canonical-sexp):
Catch 'gcry-error' around 'string->canonical-sexp' call, and re-raise
as a SRFI-35 &message and &nar-signature-error.
(narinfo-maker): Handle when SIGNATURE is #f or an invalid canonical
sexp.
(&nar-signature-error, &nar-invalid-hash-error): New variables.
(assert-valid-signature): Use them. Expect 'signature' to be a
canonical sexp.
(read-narinfo): Remove authentication and authorization checks.
(%signature-line-rx): New variable.
(assert-valid-narinfo, valid-narinfo?): New procedures.
(guix-substitute-binary): Wrap body in 'with-error-handling'.
[valid?]: New procedure.
<--query>: Show only store items of narinfos that match
'valid-narinfo?'.
<--substitute>: Call 'assert-valid-narinfo'.
* tests/substitute-binary.scm (test-error*): Use 'test-equal'.
(%keypair): Remove.
(%public-key, %private-key): Load from signing-key.{pub,sec}.
(signature-body): Add #:public-key parameter.
(call-with-narinfo): New procedure.
(with-narinfo): New macro.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Make the first argument to 'assert-valid-signature' a
canonical sexp.
("invalid hash", "valid read-narinfo", "valid write-narinfo"):
Remove.
("query narinfo with invalid hash", "query narinfo signed with
authorized key", "query narinfo signed with unauthorized key",
"substitute, invalid hash", "substitute, unauthorized key"): New
tests.
2014-03-30 22:29:35 +02:00
|
|
|
|
|
|
|
|
|
|
(test-equal "query narinfo signed with unauthorized key"
|
|
|
|
|
|
"" ; not substitutable
|
|
|
|
|
|
|
tests: Simplify 'substitute-binary' tests; reduce use of global variables.
* tests/substitute-binary.scm (signature-body): Change 'str' parameter
to 'bv', and expect it to be a bytevector.
(%signature-body, %wrong-signature, %acl): Remove.
(signature): Rename to...
(signature-field): ... this. Add 'bv-or-str' parameter. Change 'str'
parameter to #:version. Add #:public-key parameter. Call
'signature-body' directly. Change domain part of the signature to
'example.gnu.org'.
("not a number", "wrong version number", "valid
narinfo-signature->canonical-sexp"): Use 'signature-field' instead of
'signature' or %SIGNATURE.
(test-error-condition): Add 'message-rx' parameter and honor it.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Adjust accordingly.
(narinfo, %signed-narinfo): Remove.
("query narinfo with invalid hash"): Use '%narinfo' and
'signature-field' instead of 'narinfo' and '%signature'.
("query narinfo signed with authorized key", "query narinfo signed
with unauthorized key", "substitute, invalid hash", "substitute,
unauthorized key"): Likewise.
2014-03-30 21:35:22 +02:00
|
|
|
|
(with-narinfo (string-append %narinfo "Signature: "
|
|
|
|
|
|
(signature-field
|
|
|
|
|
|
%narinfo
|
|
|
|
|
|
#:public-key %wrong-public-key)
|
|
|
|
|
|
"\n")
|
substitute-binary: Defer narinfo authentication and authorization checks.
* guix/scripts/substitute-binary.scm (narinfo-signature->canonical-sexp):
Catch 'gcry-error' around 'string->canonical-sexp' call, and re-raise
as a SRFI-35 &message and &nar-signature-error.
(narinfo-maker): Handle when SIGNATURE is #f or an invalid canonical
sexp.
(&nar-signature-error, &nar-invalid-hash-error): New variables.
(assert-valid-signature): Use them. Expect 'signature' to be a
canonical sexp.
(read-narinfo): Remove authentication and authorization checks.
(%signature-line-rx): New variable.
(assert-valid-narinfo, valid-narinfo?): New procedures.
(guix-substitute-binary): Wrap body in 'with-error-handling'.
[valid?]: New procedure.
<--query>: Show only store items of narinfos that match
'valid-narinfo?'.
<--substitute>: Call 'assert-valid-narinfo'.
* tests/substitute-binary.scm (test-error*): Use 'test-equal'.
(%keypair): Remove.
(%public-key, %private-key): Load from signing-key.{pub,sec}.
(signature-body): Add #:public-key parameter.
(call-with-narinfo): New procedure.
(with-narinfo): New macro.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Make the first argument to 'assert-valid-signature' a
canonical sexp.
("invalid hash", "valid read-narinfo", "valid write-narinfo"):
Remove.
("query narinfo with invalid hash", "query narinfo signed with
authorized key", "query narinfo signed with unauthorized key",
"substitute, invalid hash", "substitute, unauthorized key"): New
tests.
2014-03-30 22:29:35 +02:00
|
|
|
|
(string-trim-both
|
|
|
|
|
|
(with-output-to-string
|
|
|
|
|
|
(lambda ()
|
|
|
|
|
|
(with-input-from-string (string-append "have " (%store-prefix)
|
|
|
|
|
|
"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo")
|
|
|
|
|
|
(lambda ()
|
2015-03-25 10:34:27 +01:00
|
|
|
|
(guix-substitute "--query"))))))))
|
substitute-binary: Defer narinfo authentication and authorization checks.
* guix/scripts/substitute-binary.scm (narinfo-signature->canonical-sexp):
Catch 'gcry-error' around 'string->canonical-sexp' call, and re-raise
as a SRFI-35 &message and &nar-signature-error.
(narinfo-maker): Handle when SIGNATURE is #f or an invalid canonical
sexp.
(&nar-signature-error, &nar-invalid-hash-error): New variables.
(assert-valid-signature): Use them. Expect 'signature' to be a
canonical sexp.
(read-narinfo): Remove authentication and authorization checks.
(%signature-line-rx): New variable.
(assert-valid-narinfo, valid-narinfo?): New procedures.
(guix-substitute-binary): Wrap body in 'with-error-handling'.
[valid?]: New procedure.
<--query>: Show only store items of narinfos that match
'valid-narinfo?'.
<--substitute>: Call 'assert-valid-narinfo'.
* tests/substitute-binary.scm (test-error*): Use 'test-equal'.
(%keypair): Remove.
(%public-key, %private-key): Load from signing-key.{pub,sec}.
(signature-body): Add #:public-key parameter.
(call-with-narinfo): New procedure.
(with-narinfo): New macro.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Make the first argument to 'assert-valid-signature' a
canonical sexp.
("invalid hash", "valid read-narinfo", "valid write-narinfo"):
Remove.
("query narinfo with invalid hash", "query narinfo signed with
authorized key", "query narinfo signed with unauthorized key",
"substitute, invalid hash", "substitute, unauthorized key"): New
tests.
2014-03-30 22:29:35 +02:00
|
|
|
|
|
2014-03-30 22:25:47 +02:00
|
|
|
|
(test-quit "substitute, no signature"
|
substitute: Download from unauthorized sources that provide the right content.
This allows substitutes to be downloaded from unauthorized servers, as
long as they advertise the same hash and references as one of the
authorized servers.
* guix/scripts/substitute.scm (assert-valid-narinfo): Remove.
(valid-narinfo?): Add #:verbose?. Handle each case of
'signature-case'.
(equivalent-narinfo?): New procedure.
(lookup-narinfos/diverse): Add 'authorized?' parameter and honor it.
[select-hit]: New procedure.
(lookup-narinfo): Add 'authorized?' parameter and pass it.
(process-query): Adjust callers accordingly.
(process-substitution): Remove call to 'assert-valid-narinfo'. Check
whether 'lookup-narinfo' returns true and call 'leave' if not.
* tests/substitute.scm (%main-substitute-directory)
(%alternate-substitute-directory): New variables.
(call-with-narinfo): Make 'narinfo-directory' a parameter. Call
'mkdir-p' to create it. Change unwind handler to check whether
CACHE-DIRECTORY exists before deleting it.
(with-narinfo*): New macro.
("substitute, no signature")
("substitute, invalid hash")
("substitute, unauthorized key"): Change expected error message to "no
valid substitute".
("substitute, unauthorized narinfo comes first")
("substitute, unsigned narinfo comes first")
("substitute, first narinfo is unsigned and has wrong hash")
("substitute, first narinfo is unsigned and has wrong refs")
("substitute, unsigned narinfo comes first")
("substitute, two invalid narinfos"): New tests.
* doc/guix.texi (Substitutes): Explain the new behavior.
2017-09-01 00:15:31 +02:00
|
|
|
|
"no valid substitute"
|
2014-03-30 22:11:22 +02:00
|
|
|
|
(with-narinfo %narinfo
|
2015-03-25 10:34:27 +01:00
|
|
|
|
(guix-substitute "--substitute"
|
|
|
|
|
|
(string-append (%store-prefix)
|
|
|
|
|
|
"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo")
|
|
|
|
|
|
"foo")))
|
2014-03-30 22:11:22 +02:00
|
|
|
|
|
2014-03-30 22:25:47 +02:00
|
|
|
|
(test-quit "substitute, invalid hash"
|
substitute: Download from unauthorized sources that provide the right content.
This allows substitutes to be downloaded from unauthorized servers, as
long as they advertise the same hash and references as one of the
authorized servers.
* guix/scripts/substitute.scm (assert-valid-narinfo): Remove.
(valid-narinfo?): Add #:verbose?. Handle each case of
'signature-case'.
(equivalent-narinfo?): New procedure.
(lookup-narinfos/diverse): Add 'authorized?' parameter and honor it.
[select-hit]: New procedure.
(lookup-narinfo): Add 'authorized?' parameter and pass it.
(process-query): Adjust callers accordingly.
(process-substitution): Remove call to 'assert-valid-narinfo'. Check
whether 'lookup-narinfo' returns true and call 'leave' if not.
* tests/substitute.scm (%main-substitute-directory)
(%alternate-substitute-directory): New variables.
(call-with-narinfo): Make 'narinfo-directory' a parameter. Call
'mkdir-p' to create it. Change unwind handler to check whether
CACHE-DIRECTORY exists before deleting it.
(with-narinfo*): New macro.
("substitute, no signature")
("substitute, invalid hash")
("substitute, unauthorized key"): Change expected error message to "no
valid substitute".
("substitute, unauthorized narinfo comes first")
("substitute, unsigned narinfo comes first")
("substitute, first narinfo is unsigned and has wrong hash")
("substitute, first narinfo is unsigned and has wrong refs")
("substitute, unsigned narinfo comes first")
("substitute, two invalid narinfos"): New tests.
* doc/guix.texi (Substitutes): Explain the new behavior.
2017-09-01 00:15:31 +02:00
|
|
|
|
"no valid substitute"
|
tests: Simplify 'substitute-binary' tests; reduce use of global variables.
* tests/substitute-binary.scm (signature-body): Change 'str' parameter
to 'bv', and expect it to be a bytevector.
(%signature-body, %wrong-signature, %acl): Remove.
(signature): Rename to...
(signature-field): ... this. Add 'bv-or-str' parameter. Change 'str'
parameter to #:version. Add #:public-key parameter. Call
'signature-body' directly. Change domain part of the signature to
'example.gnu.org'.
("not a number", "wrong version number", "valid
narinfo-signature->canonical-sexp"): Use 'signature-field' instead of
'signature' or %SIGNATURE.
(test-error-condition): Add 'message-rx' parameter and honor it.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Adjust accordingly.
(narinfo, %signed-narinfo): Remove.
("query narinfo with invalid hash"): Use '%narinfo' and
'signature-field' instead of 'narinfo' and '%signature'.
("query narinfo signed with authorized key", "query narinfo signed
with unauthorized key", "substitute, invalid hash", "substitute,
unauthorized key"): Likewise.
2014-03-30 21:35:22 +02:00
|
|
|
|
;; The hash in the signature differs from the hash of %NARINFO.
|
|
|
|
|
|
(with-narinfo (string-append %narinfo "Signature: "
|
|
|
|
|
|
(signature-field "different body")
|
|
|
|
|
|
"\n")
|
2015-03-25 10:34:27 +01:00
|
|
|
|
(guix-substitute "--substitute"
|
|
|
|
|
|
(string-append (%store-prefix)
|
|
|
|
|
|
"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo")
|
|
|
|
|
|
"foo")))
|
substitute-binary: Defer narinfo authentication and authorization checks.
* guix/scripts/substitute-binary.scm (narinfo-signature->canonical-sexp):
Catch 'gcry-error' around 'string->canonical-sexp' call, and re-raise
as a SRFI-35 &message and &nar-signature-error.
(narinfo-maker): Handle when SIGNATURE is #f or an invalid canonical
sexp.
(&nar-signature-error, &nar-invalid-hash-error): New variables.
(assert-valid-signature): Use them. Expect 'signature' to be a
canonical sexp.
(read-narinfo): Remove authentication and authorization checks.
(%signature-line-rx): New variable.
(assert-valid-narinfo, valid-narinfo?): New procedures.
(guix-substitute-binary): Wrap body in 'with-error-handling'.
[valid?]: New procedure.
<--query>: Show only store items of narinfos that match
'valid-narinfo?'.
<--substitute>: Call 'assert-valid-narinfo'.
* tests/substitute-binary.scm (test-error*): Use 'test-equal'.
(%keypair): Remove.
(%public-key, %private-key): Load from signing-key.{pub,sec}.
(signature-body): Add #:public-key parameter.
(call-with-narinfo): New procedure.
(with-narinfo): New macro.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Make the first argument to 'assert-valid-signature' a
canonical sexp.
("invalid hash", "valid read-narinfo", "valid write-narinfo"):
Remove.
("query narinfo with invalid hash", "query narinfo signed with
authorized key", "query narinfo signed with unauthorized key",
"substitute, invalid hash", "substitute, unauthorized key"): New
tests.
2014-03-30 22:29:35 +02:00
|
|
|
|
|
2014-03-30 22:25:47 +02:00
|
|
|
|
(test-quit "substitute, unauthorized key"
|
substitute: Download from unauthorized sources that provide the right content.
This allows substitutes to be downloaded from unauthorized servers, as
long as they advertise the same hash and references as one of the
authorized servers.
* guix/scripts/substitute.scm (assert-valid-narinfo): Remove.
(valid-narinfo?): Add #:verbose?. Handle each case of
'signature-case'.
(equivalent-narinfo?): New procedure.
(lookup-narinfos/diverse): Add 'authorized?' parameter and honor it.
[select-hit]: New procedure.
(lookup-narinfo): Add 'authorized?' parameter and pass it.
(process-query): Adjust callers accordingly.
(process-substitution): Remove call to 'assert-valid-narinfo'. Check
whether 'lookup-narinfo' returns true and call 'leave' if not.
* tests/substitute.scm (%main-substitute-directory)
(%alternate-substitute-directory): New variables.
(call-with-narinfo): Make 'narinfo-directory' a parameter. Call
'mkdir-p' to create it. Change unwind handler to check whether
CACHE-DIRECTORY exists before deleting it.
(with-narinfo*): New macro.
("substitute, no signature")
("substitute, invalid hash")
("substitute, unauthorized key"): Change expected error message to "no
valid substitute".
("substitute, unauthorized narinfo comes first")
("substitute, unsigned narinfo comes first")
("substitute, first narinfo is unsigned and has wrong hash")
("substitute, first narinfo is unsigned and has wrong refs")
("substitute, unsigned narinfo comes first")
("substitute, two invalid narinfos"): New tests.
* doc/guix.texi (Substitutes): Explain the new behavior.
2017-09-01 00:15:31 +02:00
|
|
|
|
"no valid substitute"
|
tests: Simplify 'substitute-binary' tests; reduce use of global variables.
* tests/substitute-binary.scm (signature-body): Change 'str' parameter
to 'bv', and expect it to be a bytevector.
(%signature-body, %wrong-signature, %acl): Remove.
(signature): Rename to...
(signature-field): ... this. Add 'bv-or-str' parameter. Change 'str'
parameter to #:version. Add #:public-key parameter. Call
'signature-body' directly. Change domain part of the signature to
'example.gnu.org'.
("not a number", "wrong version number", "valid
narinfo-signature->canonical-sexp"): Use 'signature-field' instead of
'signature' or %SIGNATURE.
(test-error-condition): Add 'message-rx' parameter and honor it.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Adjust accordingly.
(narinfo, %signed-narinfo): Remove.
("query narinfo with invalid hash"): Use '%narinfo' and
'signature-field' instead of 'narinfo' and '%signature'.
("query narinfo signed with authorized key", "query narinfo signed
with unauthorized key", "substitute, invalid hash", "substitute,
unauthorized key"): Likewise.
2014-03-30 21:35:22 +02:00
|
|
|
|
(with-narinfo (string-append %narinfo "Signature: "
|
|
|
|
|
|
(signature-field
|
|
|
|
|
|
%narinfo
|
|
|
|
|
|
#:public-key %wrong-public-key)
|
|
|
|
|
|
"\n")
|
2015-03-25 10:34:27 +01:00
|
|
|
|
(guix-substitute "--substitute"
|
|
|
|
|
|
(string-append (%store-prefix)
|
|
|
|
|
|
"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo")
|
|
|
|
|
|
"foo")))
|
2014-03-29 00:06:41 +01:00
|
|
|
|
|
2014-03-30 22:11:22 +02:00
|
|
|
|
(test-equal "substitute, authorized key"
|
|
|
|
|
|
"Substitutable data."
|
|
|
|
|
|
(with-narinfo (string-append %narinfo "Signature: "
|
|
|
|
|
|
(signature-field %narinfo))
|
|
|
|
|
|
(dynamic-wind
|
|
|
|
|
|
(const #t)
|
|
|
|
|
|
(lambda ()
|
2015-03-25 10:34:27 +01:00
|
|
|
|
(guix-substitute "--substitute"
|
|
|
|
|
|
(string-append (%store-prefix)
|
|
|
|
|
|
"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo")
|
|
|
|
|
|
"substitute-retrieved")
|
2014-03-30 22:11:22 +02:00
|
|
|
|
(call-with-input-file "substitute-retrieved" get-string-all))
|
|
|
|
|
|
(lambda ()
|
|
|
|
|
|
(false-if-exception (delete-file "substitute-retrieved"))))))
|
|
|
|
|
|
|
substitute: Download from unauthorized sources that provide the right content.
This allows substitutes to be downloaded from unauthorized servers, as
long as they advertise the same hash and references as one of the
authorized servers.
* guix/scripts/substitute.scm (assert-valid-narinfo): Remove.
(valid-narinfo?): Add #:verbose?. Handle each case of
'signature-case'.
(equivalent-narinfo?): New procedure.
(lookup-narinfos/diverse): Add 'authorized?' parameter and honor it.
[select-hit]: New procedure.
(lookup-narinfo): Add 'authorized?' parameter and pass it.
(process-query): Adjust callers accordingly.
(process-substitution): Remove call to 'assert-valid-narinfo'. Check
whether 'lookup-narinfo' returns true and call 'leave' if not.
* tests/substitute.scm (%main-substitute-directory)
(%alternate-substitute-directory): New variables.
(call-with-narinfo): Make 'narinfo-directory' a parameter. Call
'mkdir-p' to create it. Change unwind handler to check whether
CACHE-DIRECTORY exists before deleting it.
(with-narinfo*): New macro.
("substitute, no signature")
("substitute, invalid hash")
("substitute, unauthorized key"): Change expected error message to "no
valid substitute".
("substitute, unauthorized narinfo comes first")
("substitute, unsigned narinfo comes first")
("substitute, first narinfo is unsigned and has wrong hash")
("substitute, first narinfo is unsigned and has wrong refs")
("substitute, unsigned narinfo comes first")
("substitute, two invalid narinfos"): New tests.
* doc/guix.texi (Substitutes): Explain the new behavior.
2017-09-01 00:15:31 +02:00
|
|
|
|
(test-equal "substitute, unauthorized narinfo comes first"
|
|
|
|
|
|
"Substitutable data."
|
|
|
|
|
|
(with-narinfo*
|
|
|
|
|
|
(string-append %narinfo "Signature: "
|
|
|
|
|
|
(signature-field
|
|
|
|
|
|
%narinfo
|
|
|
|
|
|
#:public-key %wrong-public-key))
|
|
|
|
|
|
%alternate-substitute-directory
|
|
|
|
|
|
|
|
|
|
|
|
(with-narinfo* (string-append %narinfo "Signature: "
|
|
|
|
|
|
(signature-field %narinfo))
|
|
|
|
|
|
%main-substitute-directory
|
|
|
|
|
|
|
|
|
|
|
|
(dynamic-wind
|
|
|
|
|
|
(const #t)
|
|
|
|
|
|
(lambda ()
|
|
|
|
|
|
;; Remove this file so that the substitute can only be retrieved
|
|
|
|
|
|
;; from %ALTERNATE-SUBSTITUTE-DIRECTORY.
|
|
|
|
|
|
(delete-file (string-append %main-substitute-directory
|
|
|
|
|
|
"/example.nar"))
|
|
|
|
|
|
|
|
|
|
|
|
(parameterize ((substitute-urls
|
|
|
|
|
|
(map (cut string-append "file://" <>)
|
|
|
|
|
|
(list %alternate-substitute-directory
|
|
|
|
|
|
%main-substitute-directory))))
|
|
|
|
|
|
(guix-substitute "--substitute"
|
|
|
|
|
|
(string-append (%store-prefix)
|
|
|
|
|
|
"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo")
|
|
|
|
|
|
"substitute-retrieved"))
|
|
|
|
|
|
(call-with-input-file "substitute-retrieved" get-string-all))
|
|
|
|
|
|
(lambda ()
|
|
|
|
|
|
(false-if-exception (delete-file "substitute-retrieved")))))))
|
|
|
|
|
|
|
|
|
|
|
|
(test-equal "substitute, unsigned narinfo comes first"
|
|
|
|
|
|
"Substitutable data."
|
|
|
|
|
|
(with-narinfo* %narinfo ;not signed!
|
|
|
|
|
|
%alternate-substitute-directory
|
|
|
|
|
|
|
|
|
|
|
|
(with-narinfo* (string-append %narinfo "Signature: "
|
|
|
|
|
|
(signature-field %narinfo))
|
|
|
|
|
|
%main-substitute-directory
|
|
|
|
|
|
|
|
|
|
|
|
(dynamic-wind
|
|
|
|
|
|
(const #t)
|
|
|
|
|
|
(lambda ()
|
|
|
|
|
|
;; Remove this file so that the substitute can only be retrieved
|
|
|
|
|
|
;; from %ALTERNATE-SUBSTITUTE-DIRECTORY.
|
|
|
|
|
|
(delete-file (string-append %main-substitute-directory
|
|
|
|
|
|
"/example.nar"))
|
|
|
|
|
|
|
|
|
|
|
|
(parameterize ((substitute-urls
|
|
|
|
|
|
(map (cut string-append "file://" <>)
|
|
|
|
|
|
(list %alternate-substitute-directory
|
|
|
|
|
|
%main-substitute-directory))))
|
|
|
|
|
|
(guix-substitute "--substitute"
|
|
|
|
|
|
(string-append (%store-prefix)
|
|
|
|
|
|
"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo")
|
|
|
|
|
|
"substitute-retrieved"))
|
|
|
|
|
|
(call-with-input-file "substitute-retrieved" get-string-all))
|
|
|
|
|
|
(lambda ()
|
|
|
|
|
|
(false-if-exception (delete-file "substitute-retrieved")))))))
|
|
|
|
|
|
|
|
|
|
|
|
(test-equal "substitute, first narinfo is unsigned and has wrong hash"
|
|
|
|
|
|
"Substitutable data."
|
|
|
|
|
|
(with-narinfo* (regexp-substitute #f
|
|
|
|
|
|
(string-match "NarHash: [[:graph:]]+"
|
|
|
|
|
|
%narinfo)
|
|
|
|
|
|
'pre
|
|
|
|
|
|
"NarHash: sha256:"
|
|
|
|
|
|
(bytevector->nix-base32-string
|
|
|
|
|
|
(make-bytevector 32))
|
|
|
|
|
|
'post)
|
|
|
|
|
|
%alternate-substitute-directory
|
|
|
|
|
|
|
|
|
|
|
|
(with-narinfo* (string-append %narinfo "Signature: "
|
|
|
|
|
|
(signature-field %narinfo))
|
|
|
|
|
|
%main-substitute-directory
|
|
|
|
|
|
|
|
|
|
|
|
(dynamic-wind
|
|
|
|
|
|
(const #t)
|
|
|
|
|
|
(lambda ()
|
|
|
|
|
|
;; This time remove the file so that the substitute can only be
|
|
|
|
|
|
;; retrieved from %MAIN-SUBSTITUTE-DIRECTORY.
|
|
|
|
|
|
(delete-file (string-append %alternate-substitute-directory
|
|
|
|
|
|
"/example.nar"))
|
|
|
|
|
|
|
|
|
|
|
|
(parameterize ((substitute-urls
|
|
|
|
|
|
(map (cut string-append "file://" <>)
|
|
|
|
|
|
(list %alternate-substitute-directory
|
|
|
|
|
|
%main-substitute-directory))))
|
|
|
|
|
|
(guix-substitute "--substitute"
|
|
|
|
|
|
(string-append (%store-prefix)
|
|
|
|
|
|
"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo")
|
|
|
|
|
|
"substitute-retrieved"))
|
|
|
|
|
|
(call-with-input-file "substitute-retrieved" get-string-all))
|
|
|
|
|
|
(lambda ()
|
|
|
|
|
|
(false-if-exception (delete-file "substitute-retrieved")))))))
|
|
|
|
|
|
|
|
|
|
|
|
(test-equal "substitute, first narinfo is unsigned and has wrong refs"
|
|
|
|
|
|
"Substitutable data."
|
|
|
|
|
|
(with-narinfo* (regexp-substitute #f
|
|
|
|
|
|
(string-match "References: ([^\n]+)\n"
|
|
|
|
|
|
%narinfo)
|
|
|
|
|
|
'pre "References: " 1
|
|
|
|
|
|
" wrong set of references\n"
|
|
|
|
|
|
'post)
|
|
|
|
|
|
%alternate-substitute-directory
|
|
|
|
|
|
|
|
|
|
|
|
(with-narinfo* (string-append %narinfo "Signature: "
|
|
|
|
|
|
(signature-field %narinfo))
|
|
|
|
|
|
%main-substitute-directory
|
|
|
|
|
|
|
|
|
|
|
|
(dynamic-wind
|
|
|
|
|
|
(const #t)
|
|
|
|
|
|
(lambda ()
|
|
|
|
|
|
;; This time remove the file so that the substitute can only be
|
|
|
|
|
|
;; retrieved from %MAIN-SUBSTITUTE-DIRECTORY.
|
|
|
|
|
|
(delete-file (string-append %alternate-substitute-directory
|
|
|
|
|
|
"/example.nar"))
|
|
|
|
|
|
|
|
|
|
|
|
(parameterize ((substitute-urls
|
|
|
|
|
|
(map (cut string-append "file://" <>)
|
|
|
|
|
|
(list %alternate-substitute-directory
|
|
|
|
|
|
%main-substitute-directory))))
|
|
|
|
|
|
(guix-substitute "--substitute"
|
|
|
|
|
|
(string-append (%store-prefix)
|
|
|
|
|
|
"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo")
|
|
|
|
|
|
"substitute-retrieved"))
|
|
|
|
|
|
(call-with-input-file "substitute-retrieved" get-string-all))
|
|
|
|
|
|
(lambda ()
|
|
|
|
|
|
(false-if-exception (delete-file "substitute-retrieved")))))))
|
|
|
|
|
|
|
|
|
|
|
|
(test-quit "substitute, two invalid narinfos"
|
|
|
|
|
|
"no valid substitute"
|
|
|
|
|
|
(with-narinfo* %narinfo ;not signed
|
|
|
|
|
|
%alternate-substitute-directory
|
|
|
|
|
|
|
|
|
|
|
|
(with-narinfo* (string-append %narinfo "Signature: " ;unauthorized
|
|
|
|
|
|
(signature-field
|
|
|
|
|
|
%narinfo
|
|
|
|
|
|
#:public-key %wrong-public-key))
|
|
|
|
|
|
%main-substitute-directory
|
|
|
|
|
|
|
|
|
|
|
|
(guix-substitute "--substitute"
|
|
|
|
|
|
(string-append (%store-prefix)
|
|
|
|
|
|
"/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo")
|
|
|
|
|
|
"substitute-retrieved"))))
|
|
|
|
|
|
|
2015-03-25 10:34:27 +01:00
|
|
|
|
(test-end "substitute")
|
2014-03-29 00:06:41 +01:00
|
|
|
|
|
substitute-binary: Defer narinfo authentication and authorization checks.
* guix/scripts/substitute-binary.scm (narinfo-signature->canonical-sexp):
Catch 'gcry-error' around 'string->canonical-sexp' call, and re-raise
as a SRFI-35 &message and &nar-signature-error.
(narinfo-maker): Handle when SIGNATURE is #f or an invalid canonical
sexp.
(&nar-signature-error, &nar-invalid-hash-error): New variables.
(assert-valid-signature): Use them. Expect 'signature' to be a
canonical sexp.
(read-narinfo): Remove authentication and authorization checks.
(%signature-line-rx): New variable.
(assert-valid-narinfo, valid-narinfo?): New procedures.
(guix-substitute-binary): Wrap body in 'with-error-handling'.
[valid?]: New procedure.
<--query>: Show only store items of narinfos that match
'valid-narinfo?'.
<--substitute>: Call 'assert-valid-narinfo'.
* tests/substitute-binary.scm (test-error*): Use 'test-equal'.
(%keypair): Remove.
(%public-key, %private-key): Load from signing-key.{pub,sec}.
(signature-body): Add #:public-key parameter.
(call-with-narinfo): New procedure.
(with-narinfo): New macro.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Make the first argument to 'assert-valid-signature' a
canonical sexp.
("invalid hash", "valid read-narinfo", "valid write-narinfo"):
Remove.
("query narinfo with invalid hash", "query narinfo signed with
authorized key", "query narinfo signed with unauthorized key",
"substitute, invalid hash", "substitute, unauthorized key"): New
tests.
2014-03-30 22:29:35 +02:00
|
|
|
|
;;; Local Variables:
|
|
|
|
|
|
;;; eval: (put 'with-narinfo 'scheme-indent-function 1)
|
substitute: Download from unauthorized sources that provide the right content.
This allows substitutes to be downloaded from unauthorized servers, as
long as they advertise the same hash and references as one of the
authorized servers.
* guix/scripts/substitute.scm (assert-valid-narinfo): Remove.
(valid-narinfo?): Add #:verbose?. Handle each case of
'signature-case'.
(equivalent-narinfo?): New procedure.
(lookup-narinfos/diverse): Add 'authorized?' parameter and honor it.
[select-hit]: New procedure.
(lookup-narinfo): Add 'authorized?' parameter and pass it.
(process-query): Adjust callers accordingly.
(process-substitution): Remove call to 'assert-valid-narinfo'. Check
whether 'lookup-narinfo' returns true and call 'leave' if not.
* tests/substitute.scm (%main-substitute-directory)
(%alternate-substitute-directory): New variables.
(call-with-narinfo): Make 'narinfo-directory' a parameter. Call
'mkdir-p' to create it. Change unwind handler to check whether
CACHE-DIRECTORY exists before deleting it.
(with-narinfo*): New macro.
("substitute, no signature")
("substitute, invalid hash")
("substitute, unauthorized key"): Change expected error message to "no
valid substitute".
("substitute, unauthorized narinfo comes first")
("substitute, unsigned narinfo comes first")
("substitute, first narinfo is unsigned and has wrong hash")
("substitute, first narinfo is unsigned and has wrong refs")
("substitute, unsigned narinfo comes first")
("substitute, two invalid narinfos"): New tests.
* doc/guix.texi (Substitutes): Explain the new behavior.
2017-09-01 00:15:31 +02:00
|
|
|
|
;;; eval: (put 'with-narinfo* 'scheme-indent-function 2)
|
2014-03-30 22:25:47 +02:00
|
|
|
|
;;; eval: (put 'test-quit 'scheme-indent-function 2)
|
substitute-binary: Defer narinfo authentication and authorization checks.
* guix/scripts/substitute-binary.scm (narinfo-signature->canonical-sexp):
Catch 'gcry-error' around 'string->canonical-sexp' call, and re-raise
as a SRFI-35 &message and &nar-signature-error.
(narinfo-maker): Handle when SIGNATURE is #f or an invalid canonical
sexp.
(&nar-signature-error, &nar-invalid-hash-error): New variables.
(assert-valid-signature): Use them. Expect 'signature' to be a
canonical sexp.
(read-narinfo): Remove authentication and authorization checks.
(%signature-line-rx): New variable.
(assert-valid-narinfo, valid-narinfo?): New procedures.
(guix-substitute-binary): Wrap body in 'with-error-handling'.
[valid?]: New procedure.
<--query>: Show only store items of narinfos that match
'valid-narinfo?'.
<--substitute>: Call 'assert-valid-narinfo'.
* tests/substitute-binary.scm (test-error*): Use 'test-equal'.
(%keypair): Remove.
(%public-key, %private-key): Load from signing-key.{pub,sec}.
(signature-body): Add #:public-key parameter.
(call-with-narinfo): New procedure.
(with-narinfo): New macro.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Make the first argument to 'assert-valid-signature' a
canonical sexp.
("invalid hash", "valid read-narinfo", "valid write-narinfo"):
Remove.
("query narinfo with invalid hash", "query narinfo signed with
authorized key", "query narinfo signed with unauthorized key",
"substitute, invalid hash", "substitute, unauthorized key"): New
tests.
2014-03-30 22:29:35 +02:00
|
|
|
|
;;; End:
|