From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: Signed archives (preliminary patch)
Date: Sun, 09 Mar 2014 23:35:03 +0100
Message-ID: <87a9cz9f1k.fsf@gnu.org>
References: <87txcqesqv.fsf@karetnikov.org> <87eh3ure1r.fsf@gnu.org>
	<87bnyyiv2u.fsf_-_@karetnikov.org> <87ha8qo7rl.fsf@gnu.org>
	<8761p5jv1g.fsf@karetnikov.org> <87r47tfmes.fsf@gnu.org>
	<8738k0pj8c.fsf@karetnikov.org> <874n4fnhs7.fsf@gnu.org>
	<87ppmigld8.fsf@karetnikov.org> <87y514dv2u.fsf@gnu.org>
	<87y50wffjy.fsf_-_@karetnikov.org> <874n3kp46f.fsf@gnu.org>
	<87lhwqsxjr.fsf@karetnikov.org> <87bnxl62ws.fsf@gnu.org>
	<87k3c4joyt.fsf@karetnikov.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:56477)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1WMmJL-0001IM-VD
	for guix-devel@gnu.org; Sun, 09 Mar 2014 18:35:17 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1WMmJG-0002w8-N3
	for guix-devel@gnu.org; Sun, 09 Mar 2014 18:35:11 -0400
Received: from hera.aquilenet.fr ([2a01:474::1]:55644)
	by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@gnu.org>)
	id 1WMmJG-0002m3-9w
	for guix-devel@gnu.org; Sun, 09 Mar 2014 18:35:06 -0400
In-Reply-To: <87k3c4joyt.fsf@karetnikov.org> (Nikita Karetnikov's message of
	"Sun, 09 Mar 2014 02:38:18 +0400")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: Nikita Karetnikov <nikita@karetnikov.org>
Cc: guix-devel@gnu.org

Nikita Karetnikov <nikita@karetnikov.org> skribis:

> I think the current docstring of =E2=80=98assert-valid-signature=E2=80=99=
 is not correct
> since =E2=80=98signature=E2=80=99 must be a string (as produced by
> =E2=80=98canonical-sexp->string=E2=80=99), not an sexp.

In guix/nar.scm, the comment is:

  (define (assert-valid-signature signature hash file)
    ;; Bail out if SIGNATURE, an sexp, doesn't match HASH, a bytevector
    ;; containing the expected hash for FILE.

and indeed, SIGNATURE must be a string here.

> Similarly, the =E2=80=9Csignature is not a valid s-expression=E2=80=9D an=
d =E2=80=9Ccorrupt
> signature data=E2=80=9D messages are a bit confusing due to the way
> =E2=80=98string->canonical-sexp=E2=80=99 works (try =E2=80=98string->cano=
nical-sexp "foo"=E2=80=99).
> But I may be wrong about the latter.

Ah right, you could get =E2=80=9Ccorrupt signature data=E2=80=9D when
(string->canonical-sexp signature) returns the null canonical sexp,
whereas you=E2=80=99d want =E2=80=9Cnot a valid s-expression=E2=80=9D.

Well, we can fix that in a separate patch if you want.

> +(define* (assert-valid-signature signature hash port
> +                                 #:optional (acl (current-acl)))
> +  ;; Bail out if SIGNATURE, a string, doesn't match HASH, a bytevector
> +  ;; containing the expected hash for PORT.

Make it a docstring.

Also, please make this change a separate patch.

> +  (let* ((file      (port-filename port))

I don=E2=80=99t think this will work, because most of the time PORT is a pi=
pe
(an input port), whereas FILE is supposed to be the name of the file
being restored.

> +                (raise (condition (&message (message "invalid hash"))
> +                                  (&nar-invalid-hash-error
> +                                   (port port) (file file)
> +                                   (signature signature)
> +                                   (expected (hash-data->bytevector data=
))
> +                                   (actual hash)))))
> +            (raise (condition (&message (message "unauthorized public ke=
y"))
> +                              (&nar-signature-error
> +                               (signature signature) (file file) (port p=
ort)))))
> +        (raise (condition
> +                (&message (message "corrupt signature data"))
> +                (&nar-signature-error
> +                 (signature signature) (file file) (port port)))))))

Actually, the problem with making =E2=80=98assert-valid-signature=E2=80=99 =
public is
that it raises &nar error conditions.

It could be changed to raise a more generic &signature-error, but then
=E2=80=98restore-file-set=E2=80=99 would have to guard against it to re-thr=
ow it along
with a &nar-error (making a compound condition.)  And then ui.scm would
figure it out.  Blech.

It=E2=80=99s worth factorizing, but I don=E2=80=99t see how to do it nicely=
.  Thoughts?

> +(define (parse-signature str)
> +  "Return the value of a narinfo's 'Signature' field as a canonical sexp=
."

I don=E2=80=99t remember if I said it before, but I=E2=80=99d prefer a name=
 like
=E2=80=98narinfo-signature->canonical-sexp=E2=80=99.

> +(define* (read-narinfo port #:optional url (acl (current-acl)))
> +  "Read a narinfo from PORT.  If URL is true, it must be a string used to
> +build full URIs from relative URIs found while reading PORT."
> +  (let* ((str       (begin (set-port-encoding! port "UTF-8")
> +                           (get-string-all port)))

Rather set the encoding when PORT is created, or use

  (utf8->string (get-bytevector-all port))

That=E2=80=99s it.

Did I miss something?

Thanks,
Ludo=E2=80=99.