guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

wip-signed-archives progress report


From: Ludovic Courtès
Subject: wip-signed-archives progress report
Date: Thu, 27 Mar 2014 00:02:38 +0100
User-agent: Gnus/5.130007 (Ma Gnus v0.7) Emacs/24.3 (gnu/linux)

hydra.gnu.org now signs binaries.  More precisely, it signs the
meta-data of binaries, aka. “narinfos”:

--8<---------------cut here---------------start------------->8---
$ wget -q -O - http://hydra.gnu.org/1j3w0vvh1ya3l382ls5h1s75fvvdxbzk.narinfo
StorePath: /gnu/store/1j3w0vvh1ya3l382ls5h1s75fvvdxbzk-emacs-24.3
URL: nar/1j3w0vvh1ya3l382ls5h1s75fvvdxbzk-emacs-24.3
Compression: bzip2
NarHash: sha256:02xnn63ib2zs0k2dvkk9f6k7d4g1s6pm1ryjlzg3h98b88bch7n9
NarSize: 100956560
References: 1j3w0vvh1ya3l382ls5h1s75fvvdxbzk-emacs-24.3 
250yb9lr5018sc1092xb0fikarqsh55r-findutils-4.4.2 
2ygn4ncnhrpr61rssa6z0d9x22si0va3-libjpeg-8d 
34lb360x0m8ilmqlzmvk1s2rgm416l5s-gdk-pixbuf-2.28.2 
394ijzg3g53i77q9400j22w1wamcjkxs-xz-5.0.4 
3b0179h37dd19xc1k73cy8s75ja4pmba-grep-2.18 
3j9cmj0l4g37gi804y8yvnig0yqgm2xg-gzip-1.6 
499l505sasqwxcimsvf7h6if2bnyq785-cairo-1.12.16 
6ax9s08vya8dsfda8yr0swk5g3f0b189-atk-2.10.0 
6z7k9ms4sf367c3phl7djhb740ly3dqi-gcc-4.8.2 
7zdhgp0n1518lvfn8mb96sxqfmvqrl7v-libxrender-0.9.7 
8f15savrvf13z1z9hi5cb5l6akdx4gzr-zlib-1.2.7 
91l8glwrsv0cdc53viq4i0x0x7qjrbgj-make-4.0 
a9pdkvz3xiyp01xl8gcl1y6mjij0h86k-pkg-config-0.27.1 
cvc6x0brfnrxsrk2f48c6dhh4brf05d9-coreutils-8.22 
d12n5r59rhvc2b86agsp2gzsad41gr3p-pango-1.34.1 
fkmxw4d9xrabvpg3mv2l529cw7gw27n5-libtasn1-3.4 
hf5kklv837xbfcv6gc7gpsj36l69j3sj-glibc-2.19 
hg75n2sbpmwnxw4v4bvn1i304r5s3dfh-libtiff-4.0.3 
imc4v341rb93k8rialj5baxzdh63w2xr-nettle-2.7.1 
j96wdn8q41jd62n6p6viv2wl9l2100b3-gtk+-2.24.21 
jm0qk1n234f7l8s8zp8fpa13m8w91ikv-diffutils-3.3 
lxszay94rraffzfjmzlvpa5z02h9xlfz-gnutls-3.2.12 
m56m1y8inkplafq2859vaflwrwa0c3jf-which-2.20 
malv41q53gmwvrzm6mfpv7g4s95rzxik-libsm-1.2.1 
n1chwrwzq94120d3zfcyd9yr11r0jbsb-sed-4.2.2 
naxqxdf7f6lfpy4h481h8j8hs2r44v09-libpng-1.5.17 
nsv3rg9i3rn29j1nk4lr26pxazpmd75g-tar-1.27.1 
nw5y8klybqh3wn0xc66b1dfjafs5hybv-freetype-2.4.11 
plw2fk911b33n75ylmrqkfwkhwg75ydv-binutils-2.24 
pvvizw77i06pjq7kv1iz57kl68xd7bnr-libxpm-3.5.10 
q6v9b91x3hcikmnf6s3vhjzpjdrkdp6y-texinfo-5.2 
qca6ipcph0rx8fsmcbib1qphqgv2rhl0-libxft-2.3.1 
qfvvhq9m6jfsn7k9a4rzik3p6hmdq397-libx11-1.5.0 
r26x0ibxcg8h71j01dcyc27lpa7kc87f-patch-2.7.1 
rrbw3d1dl4njp2nnb84x8mlnmhdcvfxp-libxml2-2.9.0 
sw5gnvc1q14pyiw5d7xc47xcy942gsf5-gawk-4.1.0 
v5wr09jhn17ami1k844r6y6n3sy6y0kr-fontconfig-2.10.93 
vkgwsi1vi2k91y22clf42z2qxydyxfbb-bzip2-1.0.6 
vw8ipma5jgy2a5nczwh9bxsc99w67yy5-glib-2.39.1 
wfppwmx7lsqm0hpachkzs90m0c1zqxiv-ld-wrapper-0 
wfrjbxjapgqb9pqnwck35r8kb9gj435i-harfbuzz-0.9.22 
xa3hd1y4yx0z18ya3zk2p6zlc0f2hr3g-libice-1.0.8 
xhd2xdv16b64ajkdd7pbkklrq5fmn28i-bash-4.3 
yagg8zjdz367qiwspm8ssgny47inrn8f-alsa-lib-1.0.27.1 
yxaqk5vj602m6waasvrg30hm09ln501w-giflib-4.2.3 
zjwc4x53rpim4j3hmspzpv0k3n4kgv0n-dbus-1.6.4 
zysrgzapv5vzjqrbcz2y3ksi9w651876-ncurses-5.9
Deriver: 2nbrvsf3g3xl3bwh3cfvb2rvwsc8n0kn-emacs-24.3.drv
System: x86_64-linux
Signature: 
1;hydra.gnu.org;KHNpZ25hdHVyZSAKIChkYXRhIAogIChmbGFncyBwa2NzMSkKICAoaGFzaCBzaGEyNTYgI0EzM0UxOEI2QUU3QTZFNjEwN0I0MDQ2NjMxQkNGOTFBM0EwNTQwMTlEQTA1NkI0NjA5MDg0QThDNTlBRjA1RjMjKQogICkKIChzaWctdmFsIAogIChyc2EgCiAgIChzICM2NzgzMjA2MzBBRTA3QkM2M0ZBRTQ5MkY2QkI0OEJGMTBBMDAwNThGRTY1OTE2NDgzQjZFNERBRDk2NTlBQzY0OTRFMjVCQzlEMUIwMTMzN0QxMEFDRTRFNDYyODI3OEI0ODVFMDM2NkU4Mzc3MzE3QUM4M0ZGQkQ5NkU2MDJCRUZBOENBQTk4QzlBRDJCRTJDRjJCRjQ4QzYzQUVFNTFBNDNGMkJBM0ZGNjI0NTc0NTU0NjJGNjY1Mjg2OTBBRkU3ODJCMEJBNjdDMjgxMkU5MjZGNzNCOEZEMzQyQTZDMzgyNEZCNkFBQTBCQTk2RjhCM0FENjgzREQzOUU3ODNDQzI0MzQ2NjBGNjRFQTU5OUU4QkEwNkREMTczM0RFQjc0QjM2OEUzMTIwMkI0NjZBOUEzOTc1ODM4Q0MzNjFDODlBMkQ0MzEzMzlDMjkxRkM3Q0JBQzUzMDM4Qjg0MTE1MjZCMjU1NjE4MTBCQTEzRkJGMERERUFDM0E3MDJFOURCNTFENDQyNTQ1QjIzOTAxMzA4QjdBRjk2QUY3MTdBRTNGODBBNTk1MzNFMUJENUU2QTZBNzQ0NDJDRkIwNzFENTM2RDYyODhDMkRCRURBNTlCOTEwMjVFRTRFMENERDU1NTEwOUIxM0YwQzhBRUY4MkNCOTZBRDlEMkYzRjhFRjU4QzYxQUEwNzg0OUVEMkFEMDE2QkZCMjU0RDdDQTlEMTY2NkJFMDE3M0E0QzI4NkEyOTdEM0ZFQ0MyNjdGMTUxQTdFMEREN0FDRjc3MDg1MjRFODk3NzgxMjU5Qzc5MUYyQjExNURBNUNEMjU3RjE2QzJCREQwRDIyOUY2RDA4QkY0RjNCQjUzQjM2QjU5MjAzQzIxODkyQ0FCOUI2MUZGRkVEREE1QjY3MEI0MDY5OTYxNzQ5Rjg2QUVGQzMzMjQ5RUQzNDQ3MjVGRDkyRkI0NzI1MzgxQkRFM0VENjIwQ0IwNDRGQjMyMjVGMkU3Q0I4ODdGNjVFRTgyMkNGNTg4ODMwMkRCMUY2RkNERTVCQkYxMzAxNTczRTU0MTZCM0E3Q0FDODYyMkE2OUUwNTk5QjAyRDhBQUQwNDc1NENBMjcxOTdCMjkzNjIzMTVCNTQ2RTg4NzhFRDc2REZBOTAyN0RGQjc0MkEzMDVBRkUwQjNDRTBGRjNCNEE3MUI1NTU5ODIwMjM2OUFFMDY2MEZDNTU0QjYzQ0ZFQjRFRUU4MkU4RjZCMTFERDU5NUY3Rjg0NDI1RUExRkYyNjU5Q0EyMkE3QUMzNDBCQTZGNjNDNzU2QzdCRUU4NTlCQzlDQTQ0RDk3OTc1QzYwMkMwRjk4MTRDMUQ2QzczMDg3ODZEIykKICAgKQogICkKIChwdWJsaWMta2V5IAogIChyc2EgCiAgIChuICMwMERCMTYzNEUzRDlERkFDOTdBRTQ3MzREQUU5NjhDQ0IxNUVFNDgxNUM4MkJEQzI1NDg4M0RCQjQ5RkUxRUYzMjI2OEU4MkQ0QkJFMEUzNTI5OEM0ODFDOURBMTU1MTY0MkZBRkYwNUFFQzFBNjA3MTJGMUJCNEJFN0QyNUQ3RUZGN0E0Rjg5NzA0QTVBOUFDMjMyODcwQ0I5RjI0NzZDM0I1MzhBMEU5OTBBODgyNURFQjczMDgxRDMxNzAwMUZCOEExODg2MDBGMkZFRjVGNUY1NzBFODU3RjNFRTQzNTUwNzdBM0MzOTE4RUQ3MjcyM0E1NkJBNTVDNDY2RDQwMDY1ODk3NEQ3REFEMUY2QjdCNjNDMTkyQjlDMjcwNEQ5OEJCRkYxQzNCRDVCOEVGMTFBOEFEQzgzQUNCOEZEOEU5RjFFNzkyRkRBRDI2MjQxNUQxM0YyREVFNTVGMzMwOTA4Q0ZEQTlDM0M4QzMyQjY0RjdERDA4ODQ1N0QzNEY0NDVFMkUyQzgzQzZENjgwNTQ5REM5QjZFNjU3M0I4OTQ5NjU2NzIwNEVEMjg1RTY3QTI3OUYyRjY2NzA4MEJBOTQxRDgwRDAxNUNFODdCMEZCNkE5MUE5OUNFQ0M3RDkxRDJEMjEwQjAwRTRCNkU2MTFEQTUxREIwMDhGMURGRTNGQ0FDNkIyNzM5M0ZBNzgxRDQ1RjlBMTVGQzdCODc4NUEzRTg2QkE2NTkyQjI5MTZDQTIyQ0YxRTQwRkM4NUY4NUNBQ0E1OTA0NjExNTRGNThGMzU4MEIxNjM5ODkwOEVGMzIwNzZGNDExMjk5QzI4NzI3Qzk0RDg4QjZBNjE4Rjg0REQ3M0FFQkVEODI3MEJDQjY2OTA5MjhDQjFCRjI1MEMzNUUxRjZCRjNCMUIzMEQwNUJBMjQ2RUNFOEY2OUQ5MDY1REUyNkY0QjNFMEQ4MTRENzBBOUMyN0NCNUI3QjA1MEM5MDkwNTkwRDNBOUVGODMzNzRGMjY0M0U1NDQ2RkJEMzlEREIxMjREQkY2REZEQUE2RDE4RTI1NjBBRDBDQkZBMTFDOTU5QzlCNzMxNkJGMTk5NjNBMTkxOTY3MDU0RTlGRDk3REMxNEQ3MTA4MkIzMEIxQzkwQTQ2RTg5OTY2ODI0NzRDM0JDQjUxQkEwODgyOTU4ODk3QjZERDM1RTQxQjUxNzREMEE2QkNERTk3Qjg5MDQzRTk1QkQxQjcwREU2MURBNjY2ODkzQjQxNzE5NkExODAwMDU0NjZCQzNBNzQyRkRGMDRFODlCMDQ0NjBFM0U2QkM3MkU3RjFCNUZFQTVCMzA5MkZFRTU1MUEzQzQ0N0MxMkUxMDRFNjUjKQogICAoZSAjMDEwMDAxIykKICAgKQogICkKICkK
--8<---------------cut here---------------end--------------->8---

The Signature line above is a base64-encoded canonical sexp signature
(as for ‘guix archive’.)

With Hydra now ready, I’ve done some testing with Nikita’s cool work on
adding support for authentication/authorization of signed binaries.

Here’s a sample session, using the internal interface to ‘guix
substitute-binary’, with wip-signed-archives:

--8<---------------cut here---------------start------------->8---
$ echo "have /gnu/store/1j3w0vvh1ya3l382ls5h1s75fvvdxbzk-emacs-24.3" | sudo 
./pre-inst-env guix substitute-binary --query


$ sudo ./pre-inst-env guix substitute-binary --substitute 
/gnu/store/1j3w0vvh1ya3l382ls5h1s75fvvdxbzk-emacs-24.3 foo

guix substitute-binary: error: unauthorized public key

$ cat hydra-key.pub | sudo guix archive --authorize

$ echo "have /gnu/store/1j3w0vvh1ya3l382ls5h1s75fvvdxbzk-emacs-24.3" | sudo 
./pre-inst-env guix substitute-binary --query

/gnu/store/1j3w0vvh1ya3l382ls5h1s75fvvdxbzk-emacs-24.3
--8<---------------cut here---------------end--------------->8---

What we see here is that ‘has-substitutes?’ requests simply return #f if
a substitute is available but is invalid (lacks a signature, or has a
wrong signature, or is signed by an unauthorized key.)  ‘--substitute’
requests error out when that happens.

Nikita: comments welcome on the two commits I just pushed in
wip-signed-archives.

I’ll try to add tests for that, but overall, it seems to be getting into
shape!

Thanks,
Ludo’.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]