all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* wip-signed-archives progress report
@ 2014-03-26 23:02 Ludovic Courtès
  2014-03-27 16:16 ` Nikita Karetnikov
  2014-03-30 21:54 ` Support for signed substitutes pushed Ludovic Courtès
  0 siblings, 2 replies; 10+ messages in thread
From: Ludovic Courtès @ 2014-03-26 23:02 UTC (permalink / raw)
  To: guix-devel

hydra.gnu.org now signs binaries.  More precisely, it signs the
meta-data of binaries, aka. “narinfos”:

--8<---------------cut here---------------start------------->8---
$ wget -q -O - http://hydra.gnu.org/1j3w0vvh1ya3l382ls5h1s75fvvdxbzk.narinfo
StorePath: /gnu/store/1j3w0vvh1ya3l382ls5h1s75fvvdxbzk-emacs-24.3
URL: nar/1j3w0vvh1ya3l382ls5h1s75fvvdxbzk-emacs-24.3
Compression: bzip2
NarHash: sha256:02xnn63ib2zs0k2dvkk9f6k7d4g1s6pm1ryjlzg3h98b88bch7n9
NarSize: 100956560
References: 1j3w0vvh1ya3l382ls5h1s75fvvdxbzk-emacs-24.3 250yb9lr5018sc1092xb0fikarqsh55r-findutils-4.4.2 2ygn4ncnhrpr61rssa6z0d9x22si0va3-libjpeg-8d 34lb360x0m8ilmqlzmvk1s2rgm416l5s-gdk-pixbuf-2.28.2 394ijzg3g53i77q9400j22w1wamcjkxs-xz-5.0.4 3b0179h37dd19xc1k73cy8s75ja4pmba-grep-2.18 3j9cmj0l4g37gi804y8yvnig0yqgm2xg-gzip-1.6 499l505sasqwxcimsvf7h6if2bnyq785-cairo-1.12.16 6ax9s08vya8dsfda8yr0swk5g3f0b189-atk-2.10.0 6z7k9ms4sf367c3phl7djhb740ly3dqi-gcc-4.8.2 7zdhgp0n1518lvfn8mb96sxqfmvqrl7v-libxrender-0.9.7 8f15savrvf13z1z9hi5cb5l6akdx4gzr-zlib-1.2.7 91l8glwrsv0cdc53viq4i0x0x7qjrbgj-make-4.0 a9pdkvz3xiyp01xl8gcl1y6mjij0h86k-pkg-config-0.27.1 cvc6x0brfnrxsrk2f48c6dhh4brf05d9-coreutils-8.22 d12n5r59rhvc2b86agsp2gzsad41gr3p-pango-1.34.1 fkmxw4d9xrabvpg3mv2l529cw7gw27n5-libtasn1-3.4 hf5kklv837xbfcv6gc7gpsj36l69j3sj-glibc-2.19 hg75n2sbpmwnxw4v4bvn1i304r5s3dfh-libtiff-4.0.3 imc4v341rb93k8rialj5baxzdh63w2xr-nettle-2.7.1 j96wdn8q41jd62n6p6viv2wl9l2100b3-gtk+-2.24.21 jm0qk1n234f7l8s8zp8fpa13m8w91ikv-diffutils-3.3 lxszay94rraffzfjmzlvpa5z02h9xlfz-gnutls-3.2.12 m56m1y8inkplafq2859vaflwrwa0c3jf-which-2.20 malv41q53gmwvrzm6mfpv7g4s95rzxik-libsm-1.2.1 n1chwrwzq94120d3zfcyd9yr11r0jbsb-sed-4.2.2 naxqxdf7f6lfpy4h481h8j8hs2r44v09-libpng-1.5.17 nsv3rg9i3rn29j1nk4lr26pxazpmd75g-tar-1.27.1 nw5y8klybqh3wn0xc66b1dfjafs5hybv-freetype-2.4.11 plw2fk911b33n75ylmrqkfwkhwg75ydv-binutils-2.24 pvvizw77i06pjq7kv1iz57kl68xd7bnr-libxpm-3.5.10 q6v9b91x3hcikmnf6s3vhjzpjdrkdp6y-texinfo-5.2 qca6ipcph0rx8fsmcbib1qphqgv2rhl0-libxft-2.3.1 qfvvhq9m6jfsn7k9a4rzik3p6hmdq397-libx11-1.5.0 r26x0ibxcg8h71j01dcyc27lpa7kc87f-patch-2.7.1 rrbw3d1dl4njp2nnb84x8mlnmhdcvfxp-libxml2-2.9.0 sw5gnvc1q14pyiw5d7xc47xcy942gsf5-gawk-4.1.0 v5wr09jhn17ami1k844r6y6n3sy6y0kr-fontconfig-2.10.93 vkgwsi1vi2k91y22clf42z2qxydyxfbb-bzip2-1.0.6 vw8ipma5jgy2a5nczwh9bxsc99w67yy5-glib-2.39.1 wfppwmx7lsqm0hpachkzs90m0c1zqxiv-ld-wrapper-0 wfrjbxjapgqb9pqnwck35r8kb9gj435i-harfbuzz-0.9.22 xa3hd1y4yx0z18ya3zk2p6zlc0f2hr3g-libice-1.0.8 xhd2xdv16b64ajkdd7pbkklrq5fmn28i-bash-4.3 yagg8zjdz367qiwspm8ssgny47inrn8f-alsa-lib-1.0.27.1 yxaqk5vj602m6waasvrg30hm09ln501w-giflib-4.2.3 zjwc4x53rpim4j3hmspzpv0k3n4kgv0n-dbus-1.6.4 zysrgzapv5vzjqrbcz2y3ksi9w651876-ncurses-5.9
Deriver: 2nbrvsf3g3xl3bwh3cfvb2rvwsc8n0kn-emacs-24.3.drv
System: x86_64-linux
Signature: 1;hydra.gnu.org;KHNpZ25hdHVyZSAKIChkYXRhIAogIChmbGFncyBwa2NzMSkKICAoaGFzaCBzaGEyNTYgI0EzM0UxOEI2QUU3QTZFNjEwN0I0MDQ2NjMxQkNGOTFBM0EwNTQwMTlEQTA1NkI0NjA5MDg0QThDNTlBRjA1RjMjKQogICkKIChzaWctdmFsIAogIChyc2EgCiAgIChzICM2NzgzMjA2MzBBRTA3QkM2M0ZBRTQ5MkY2QkI0OEJGMTBBMDAwNThGRTY1OTE2NDgzQjZFNERBRDk2NTlBQzY0OTRFMjVCQzlEMUIwMTMzN0QxMEFDRTRFNDYyODI3OEI0ODVFMDM2NkU4Mzc3MzE3QUM4M0ZGQkQ5NkU2MDJCRUZBOENBQTk4QzlBRDJCRTJDRjJCRjQ4QzYzQUVFNTFBNDNGMkJBM0ZGNjI0NTc0NTU0NjJGNjY1Mjg2OTBBRkU3ODJCMEJBNjdDMjgxMkU5MjZGNzNCOEZEMzQyQTZDMzgyNEZCNkFBQTBCQTk2RjhCM0FENjgzREQzOUU3ODNDQzI0MzQ2NjBGNjRFQTU5OUU4QkEwNkREMTczM0RFQjc0QjM2OEUzMTIwMkI0NjZBOUEzOTc1ODM4Q0MzNjFDODlBMkQ0MzEzMzlDMjkxRkM3Q0JBQzUzMDM4Qjg0MTE1MjZCMjU1NjE4MTBCQTEzRkJGMERERUFDM0E3MDJFOURCNTFENDQyNTQ1QjIzOTAxMzA4QjdBRjk2QUY3MTdBRTNGODBBNTk1MzNFMUJENUU2QTZBNzQ0NDJDRkIwNzFENTM2RDYyODhDMkRCRURBNTlCOTEwMjVFRTRFMENERDU1NTEwOUIxM0YwQzhBRUY4MkNCOTZBRDlEMkYzRjhFRjU4QzYxQUEwNzg0OUVEMkFEMDE2QkZCMjU0RDdDQTlEMTY2NkJFMDE3M0E0QzI4NkEyOTdEM0ZFQ0MyNjdGMTUxQTdFMEREN0FDRjc3MDg1MjRFODk3NzgxMjU5Qzc5MUYyQjExNURBNUNEMjU3RjE2QzJCREQwRDIyOUY2RDA4QkY0RjNCQjUzQjM2QjU5MjAzQzIxODkyQ0FCOUI2MUZGRkVEREE1QjY3MEI0MDY5OTYxNzQ5Rjg2QUVGQzMzMjQ5RUQzNDQ3MjVGRDkyRkI0NzI1MzgxQkRFM0VENjIwQ0IwNDRGQjMyMjVGMkU3Q0I4ODdGNjVFRTgyMkNGNTg4ODMwMkRCMUY2RkNERTVCQkYxMzAxNTczRTU0MTZCM0E3Q0FDODYyMkE2OUUwNTk5QjAyRDhBQUQwNDc1NENBMjcxOTdCMjkzNjIzMTVCNTQ2RTg4NzhFRDc2REZBOTAyN0RGQjc0MkEzMDVBRkUwQjNDRTBGRjNCNEE3MUI1NTU5ODIwMjM2OUFFMDY2MEZDNTU0QjYzQ0ZFQjRFRUU4MkU4RjZCMTFERDU5NUY3Rjg0NDI1RUExRkYyNjU5Q0EyMkE3QUMzNDBCQTZGNjNDNzU2QzdCRUU4NTlCQzlDQTQ0RDk3OTc1QzYwMkMwRjk4MTRDMUQ2QzczMDg3ODZEIykKICAgKQogICkKIChwdWJsaWMta2V5IAogIChyc2EgCiAgIChuICMwMERCMTYzNEUzRDlERkFDOTdBRTQ3MzREQUU5NjhDQ0IxNUVFNDgxNUM4MkJEQzI1NDg4M0RCQjQ5RkUxRUYzMjI2OEU4MkQ0QkJFMEUzNTI5OEM0ODFDOURBMTU1MTY0MkZBRkYwNUFFQzFBNjA3MTJGMUJCNEJFN0QyNUQ3RUZGN0E0Rjg5NzA0QTVBOUFDMjMyODcwQ0I5RjI0NzZDM0I1MzhBMEU5OTBBODgyNURFQjczMDgxRDMxNzAwMUZCOEExODg2MDBGMkZFRjVGNUY1NzBFODU3RjNFRTQzNTUwNzdBM0MzOTE4RUQ3MjcyM0E1NkJBNTVDNDY2RDQwMDY1ODk3NEQ3REFEMUY2QjdCNjNDMTkyQjlDMjcwNEQ5OEJCRkYxQzNCRDVCOEVGMTFBOEFEQzgzQUNCOEZEOEU5RjFFNzkyRkRBRDI2MjQxNUQxM0YyREVFNTVGMzMwOTA4Q0ZEQTlDM0M4QzMyQjY0RjdERDA4ODQ1N0QzNEY0NDVFMkUyQzgzQzZENjgwNTQ5REM5QjZFNjU3M0I4OTQ5NjU2NzIwNEVEMjg1RTY3QTI3OUYyRjY2NzA4MEJBOTQxRDgwRDAxNUNFODdCMEZCNkE5MUE5OUNFQ0M3RDkxRDJEMjEwQjAwRTRCNkU2MTFEQTUxREIwMDhGMURGRTNGQ0FDNkIyNzM5M0ZBNzgxRDQ1RjlBMTVGQzdCODc4NUEzRTg2QkE2NTkyQjI5MTZDQTIyQ0YxRTQwRkM4NUY4NUNBQ0E1OTA0NjExNTRGNThGMzU4MEIxNjM5ODkwOEVGMzIwNzZGNDExMjk5QzI4NzI3Qzk0RDg4QjZBNjE4Rjg0REQ3M0FFQkVEODI3MEJDQjY2OTA5MjhDQjFCRjI1MEMzNUUxRjZCRjNCMUIzMEQwNUJBMjQ2RUNFOEY2OUQ5MDY1REUyNkY0QjNFMEQ4MTRENzBBOUMyN0NCNUI3QjA1MEM5MDkwNTkwRDNBOUVGODMzNzRGMjY0M0U1NDQ2RkJEMzlEREIxMjREQkY2REZEQUE2RDE4RTI1NjBBRDBDQkZBMTFDOTU5QzlCNzMxNkJGMTk5NjNBMTkxOTY3MDU0RTlGRDk3REMxNEQ3MTA4MkIzMEIxQzkwQTQ2RTg5OTY2ODI0NzRDM0JDQjUxQkEwODgyOTU4ODk3QjZERDM1RTQxQjUxNzREMEE2QkNERTk3Qjg5MDQzRTk1QkQxQjcwREU2MURBNjY2ODkzQjQxNzE5NkExODAwMDU0NjZCQzNBNzQyRkRGMDRFODlCMDQ0NjBFM0U2QkM3MkU3RjFCNUZFQTVCMzA5MkZFRTU1MUEzQzQ0N0MxMkUxMDRFNjUjKQogICAoZSAjMDEwMDAxIykKICAgKQogICkKICkK
--8<---------------cut here---------------end--------------->8---

The Signature line above is a base64-encoded canonical sexp signature
(as for ‘guix archive’.)

With Hydra now ready, I’ve done some testing with Nikita’s cool work on
adding support for authentication/authorization of signed binaries.

Here’s a sample session, using the internal interface to ‘guix
substitute-binary’, with wip-signed-archives:

--8<---------------cut here---------------start------------->8---
$ echo "have /gnu/store/1j3w0vvh1ya3l382ls5h1s75fvvdxbzk-emacs-24.3" | sudo ./pre-inst-env guix substitute-binary --query


$ sudo ./pre-inst-env guix substitute-binary --substitute /gnu/store/1j3w0vvh1ya3l382ls5h1s75fvvdxbzk-emacs-24.3 foo

guix substitute-binary: error: unauthorized public key

$ cat hydra-key.pub | sudo guix archive --authorize

$ echo "have /gnu/store/1j3w0vvh1ya3l382ls5h1s75fvvdxbzk-emacs-24.3" | sudo ./pre-inst-env guix substitute-binary --query

/gnu/store/1j3w0vvh1ya3l382ls5h1s75fvvdxbzk-emacs-24.3
--8<---------------cut here---------------end--------------->8---

What we see here is that ‘has-substitutes?’ requests simply return #f if
a substitute is available but is invalid (lacks a signature, or has a
wrong signature, or is signed by an unauthorized key.)  ‘--substitute’
requests error out when that happens.

Nikita: comments welcome on the two commits I just pushed in
wip-signed-archives.

I’ll try to add tests for that, but overall, it seems to be getting into
shape!

Thanks,
Ludo’.

^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2014-04-03 20:46 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-03-26 23:02 wip-signed-archives progress report Ludovic Courtès
2014-03-27 16:16 ` Nikita Karetnikov
2014-03-27 23:34   ` Ludovic Courtès
2014-03-30 21:54 ` Support for signed substitutes pushed Ludovic Courtès
2014-03-31 18:24   ` Alex Sassmannshausen
2014-03-31 20:00     ` Ludovic Courtès
2014-04-01 22:01   ` Ludovic Courtès
2014-04-03 17:21   ` Andreas Enge
2014-04-03 19:48     ` Ludovic Courtès
2014-04-03 20:45       ` Andreas Enge

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.