* guix/scripts/substitute-binary.scm (<narinfo>): Add the 'signature'
and 'contents' fields.
(narinfo-signature->canonical-sexp): New function.
(narinfo-maker): Add the 'signature' argument and use it.
(assert-valid-signature): New function.
(read-narinfo): Support the Signature field.
(write-narinfo): Use 'narinfo-contents'.
(%allow-unauthenticated-substitutes?): New variable.
* guix/base64.scm, tests/base64.scm, tests/substitute-binary.scm: New files.
* Makefile.am (SCM_TESTS): Add tests/base64.scm and
tests/substitute-binary.scm.
(MODULES): Add guix/base64.scm.
* test-env.in: Set 'GUIX_ALLOW_UNAUTHENTICATED_SUBSTITUTES'.
* guix/utils.scm (call-with-decompressed-port,
call-with-compressed-output-port): New procedures.
* tests/utils.scm ("compressed-output-port + decompressed-port"):
Rewrite to use them.
* guix/scripts/authenticate.scm (guix-authenticate): Add clauses
for ("rsautl" "-sign" "-inkey" key) and ("rsautl" "-verify" "-inkey" _
"-pubin").
* tests/guix-authenticate.sh (hash): Add test using -sign and -verify in
a pipeline.
* guix/utils.scm (decompressed-port, compressed-port): New procedures.
* guix/scripts/substitute-binary.scm (decompressed-port): Remove.
(guix-substitute-binary): Pass a symbol or #f as the first argument to
'decompress-port'.
* tests/utils.scm ("compressed-port, decompressed-port, non-file"): New
test.
* guix/utils.scm (filtered-port): Make sure the 'execl' child process
always exits, and does (primitive-_exit 1) upon execution failure.
Use 'primitive-_exit' in the 'dump-port' child process.
* tests/utils.scm ("filtered-port, does not exist"): New test.
* guix/pk-crypto.scm (gcrypt-version): New procedure.
* guix/scripts/archive.scm (%key-generation-parameters): New variable.
(%options) <generate-key>: Use it.
* tests/pk-crypto.scm ("sign + verify, Ed25519"): Skip if using gcrypt < 1.6.0.
* guix/pk-crypto.scm (bytevector->hash-data): Add #:key-type parameter.
Use the 'pkcs1' flag when KEY-TYPE is 'rsa', and 'rfc6979' when
KEY-TYPE is 'ecc' or 'dsa'.
(key-type): New procedure.
* guix/scripts/authenticate.scm (read-hash-data): Add 'key-type'
parameter. Pass it to 'bytevector->hash-data'. Adjust caller
accordingly.
* tests/pk-crypto.scm (%ecc-key-pair): New variable.
("key-type"): New test.
("sign + verify"): Pass #:key-type to 'bytevector->hash-data'.
("sign + verify, Ed25519"): New test.
Reported by Nikita Karetnikov <nikita@karetnikov.org>
and Pierre-Antoine Rault <par@rigelk.eu>.
* test-env.in: Change 'NIX_LOG_DIR' in accordance with f5768af.
* tests/guix-register.sh: Likewise for 'NIX_LOG_DIR' and 'NIX_DB_DIR'.
* tests/utils.scm (temp-file): New variable.
("fcntl-flock"): Rewrite to actually test whether the child process
waits for the lock to be released. The previous test was wrong
because (1) it expected F_SETLK semantics, not F_SETLKW, and (2) it
got EBADF because of a mismatch between the open mode and the lock
style.
* guix/nar.scm (write-file) <directory>: Pass 'string<?' as the second
argument to 'scandir'.
* tests/nar.scm ("write-file puts file in C locale collation order"):
New test.
* guix/derivations.scm (<derivation-output>): Add 'recursive?' field.
Adjust 'make-derivation-output' callers.
(%read-derivation) <fixed-output>: When HASH-ALGO starts with 'r:',
set the 'recursive?' field and drop 'r:' from the hash algo name.
(write-derivation)[write-output]: Write the algo as 'r:HASH-ALGO' when
the RECURSIVE? field is set.
(derivation-hash) <fixed-output>: Prepend "r:" when RECURSIVE? is set.
(fixed-output-path): New procedure.
(derivation): Add #:recursive? parameter. Use 'fixed-output-path' to
compute the output file name of a fixed output derivation.
(build-expression->derivation): Add #:recursive? parameter. Pass it
to 'derivation'.
* tests/derivations.scm ("fixed-output derivation, recursive",
"build-expression->derivation produces recursive fixed-output",
"build-expression->derivation uses recursive fixed-output"): New
tests.
* doc/guix.texi (Derivations): Document #:recursive? for 'derivation'.
Add #:recursive? for 'build-expression->derivation'.
* guix/scripts/hash.scm (show-help): Add --recursive.
(%options): Likewise.
(guix-hash)[file-hash]: New procedure. Honor --recursive.
Use it.
* guix/nar.scm (write-file): Add missing field to the &nar-error
condition raised upon unsupported file type; change its message to be
more descriptive.
* tests/guix-hash.sh: Add tests with -r.
* doc/guix.texi (Invoking guix hash): Document --recursive.
* guix/monads.scm (text-file*): New procedure.
* tests/monads.scm ("text-file*"): New test.
* doc/guix.texi (The Store Monad): Change example since the previous one
would erroneously fail to retain a reference to Coreutils. Document
'text-file*'.
* guix/store.scm (topologically-sorted): New procedure.
* tests/store.scm ("topologically-sorted, one item",
"topologically-sorted, several items", "topologically-sorted, more
difficult"): New tests.
* nix/guix-register/guix-register.cc (register_validity): Leave
'info.path' unmodified when PREFIX is empty.
(main): Call 'settings.processEnvironment' early on.
Leave 'settings.nixStore' unmodified when PREFIX is empty.
* guix/scripts/package.scm (leave-on-EPIPE): New macro.
(guix-package): Use it for 'list-installed', 'list-available', and
'--list-generations'.
* tests/guix-package.sh: Add test.
* guix/scripts/archive.scm (authorize-key): New procedure.
(guix-archive): Call it when OPTS contains 'authorize-key'.
* tests/guix-archive.sh: Add test with invalid public key.
* guix/pki.scm: Export '%acl-file'.
* doc/guix.texi (Invoking guix archive): Make it clear that '--import'
works only with authorized keys. Document '--authorize'.
* guix/pk-crypto.scm (token-string?): New procedure.
(canonical-sexp-nth-data): Return a symbol when the element is a
"token", and a bytevector otherwise.
(latin1-string->bytevector): Remove.
(hash-data->bytevector): Adjust accordingly.
* tests/pk-crypto.scm ("canonical-sexp-nth"): Adjust accordingly. Add
octet string example.
* guix/scripts/authenticate.scm (signature-sexp): New procedure.
(guix-authenticate): Use it to produce the signature. Adjust
verification code accordingly.
* tests/store.scm ("import corrupt path"): Adjust test accordingly.
* guix/pk-crypto.scm: Rename procedures, variables, etc. from
'gcry-sexp' to 'canonical-sexp'. Add comment with references.
* guix/scripts/authenticate.scm, tests/pk-crypto.scm: Adjust
accordingly.
Nikita Karetnikov