aboutsummaryrefslogtreecommitdiff
path: root/nix
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2020-09-11 12:51:36 +0200
committerLudovic Courtès <ludo@gnu.org>2020-09-14 15:42:55 +0200
commit64cf660f872fb7aaf0d2b463e45b4c756297f743 (patch)
treee1fdd38b1a704915b4df4cd0b7db6669bd7b77dc /nix
parentee9dff34f9317509cb2b833d07a0d5e01a36a4ae (diff)
downloadguix-64cf660f872fb7aaf0d2b463e45b4c756297f743.tar
guix-64cf660f872fb7aaf0d2b463e45b4c756297f743.tar.gz
daemon: Spawn 'guix authenticate' once for all.
Previously, we'd spawn 'guix authenticate' once for each item that has to be signed (when exporting) or authenticated (when importing). Now, we spawn it once for all and then follow a request/reply protocol. This reduces the wall-clock time of: guix archive --export -r $(guix build coreutils -d) from 30s to 2s. * guix/scripts/authenticate.scm (sign-with-key): Return the signature instead of displaying it. Raise a &formatted-message instead of calling 'leave'. (validate-signature): Likewise. (read-command): New procedure. (define-enumerate-type, reply-code): New macros. (guix-authenticate)[send-reply]: New procedure. Change to read commands from current-input-port. * nix/libstore/local-store.cc (runAuthenticationProgram): Remove. (authenticationAgent, readInteger, readAuthenticateReply): New functions. (signHash, verifySignature): Rewrite in terms of the agent. * tests/store.scm ("import not signed"): Remove 'pk' call. ("import signed by unauthorized key"): Check the error message of C. * tests/guix-authenticate.sh: Rewrite using the new protocol. fixlet
Diffstat (limited to 'nix')
-rw-r--r--nix/libstore/local-store.cc87
1 files changed, 70 insertions, 17 deletions
diff --git a/nix/libstore/local-store.cc b/nix/libstore/local-store.cc
index cbbd8e901d..8c479002ec 100644
--- a/nix/libstore/local-store.cc
+++ b/nix/libstore/local-store.cc
@@ -21,6 +21,7 @@
#include <stdio.h>
#include <time.h>
#include <grp.h>
+#include <ctype.h>
#if HAVE_UNSHARE && HAVE_STATVFS && HAVE_SYS_MOUNT_H
#include <sched.h>
@@ -1231,39 +1232,91 @@ static void checkSecrecy(const Path & path)
}
-static std::string runAuthenticationProgram(const Strings & args)
+/* Return the authentication agent, a "guix authenticate" process started
+ lazily. */
+static std::shared_ptr<Agent> authenticationAgent()
{
- Strings fullArgs = { "authenticate" };
- fullArgs.insert(fullArgs.end(), args.begin(), args.end()); // append
- return runProgram(settings.guixProgram, false, fullArgs);
+ static std::shared_ptr<Agent> agent;
+
+ if (!agent) {
+ Strings args = { "authenticate" };
+ agent = std::make_shared<Agent>(settings.guixProgram, args);
+ }
+
+ return agent;
+}
+
+/* Read an integer and the byte that immediately follows it from FD. Return
+ the integer. */
+static int readInteger(int fd)
+{
+ string str;
+
+ while (1) {
+ char ch;
+ ssize_t rd = read(fd, &ch, 1);
+ if (rd == -1) {
+ if (errno != EINTR)
+ throw SysError("reading an integer");
+ } else if (rd == 0)
+ throw EndOfFile("unexpected EOF reading an integer");
+ else {
+ if (isdigit(ch)) {
+ str += ch;
+ } else {
+ break;
+ }
+ }
+ }
+
+ return stoi(str);
+}
+
+/* Read from FD a reply coming from 'guix authenticate'. The reply has the
+ form "CODE LEN:STR". CODE is an integer, where zero indicates success.
+ LEN specifies the length in bytes of the string that immediately
+ follows. */
+static std::string readAuthenticateReply(int fd)
+{
+ int code = readInteger(fd);
+ int len = readInteger(fd);
+
+ string str;
+ str.resize(len);
+ readFull(fd, (unsigned char *) &str[0], len);
+
+ if (code == 0)
+ return str;
+ else
+ throw Error(str);
}
/* Sign HASH with the key stored in file SECRETKEY. Return the signature as a
string, or raise an exception upon error. */
static std::string signHash(const string &secretKey, const Hash &hash)
{
- Strings args;
- args.push_back("sign");
- args.push_back(secretKey);
- args.push_back(printHash(hash));
+ auto agent = authenticationAgent();
+ auto hexHash = printHash(hash);
- return runAuthenticationProgram(args);
+ writeLine(agent->toAgent.writeSide,
+ (format("sign %1%:%2% %3%:%4%")
+ % secretKey.size() % secretKey
+ % hexHash.size() % hexHash).str());
+
+ return readAuthenticateReply(agent->fromAgent.readSide);
}
/* Verify SIGNATURE and return the base16-encoded hash over which it was
computed. */
static std::string verifySignature(const string &signature)
{
- Path tmpDir = createTempDir("", "guix", true, true, 0700);
- AutoDelete delTmp(tmpDir);
+ auto agent = authenticationAgent();
- Path sigFile = tmpDir + "/sig";
- writeFile(sigFile, signature);
+ writeLine(agent->toAgent.writeSide,
+ (format("verify %1%:%2%")
+ % signature.size() % signature).str());
- Strings args;
- args.push_back("verify");
- args.push_back(sigFile);
- return runAuthenticationProgram(args);
+ return readAuthenticateReply(agent->fromAgent.readSide);
}
void LocalStore::exportPath(const Path & path, bool sign,