Signed archive export/import

[Ludovic Courtès]

Hi!

With commit 526382f, the daemon supports exporting signed “Nix archives”
of a set of store files, and importing signed archives (using public key
crypto.)  This is useful, for instance, to transfer files from one
machine to another, as is the case in a typical Hydra build farm.

The daemon is equipped to call out to the ‘openssl’ program for signing
and signature verification, but the goal here was to do away with
OpenSSL, since we have a couple of great alternatives in GNU.  ;-)
(In practice this means that our crypto material uses a different format
that the one used in Nix.)

So the (guix pk-crypto) module provides bindings to the public key API
of GNU Libgcrypt, and the ‘guix authenticate’ command is a drop-in
replacement for the ‘openssl’ program that the daemon invokes (see
‘local-store.cc’.)

The modus operandi is that administrators add a libgcrypt-generated key
pair to /etc/guix/signing-key.{pub,sec} (typically an RSA key pair).
Exported archives are automatically signed with the secret key, and
imported archives must carry a valid signature verified with
signing-key.pub.

I find the latter a bit limiting, as it means that all the machines in
the build farm must have the same key pair installed.  So instead, I’m
inclined to add an ‘authorized key’ list, as with SSH.


From there, we need a few more things:

  - a ‘guix archive’ command to easily import/export archives, and to
    generate a key pair;

  - a ‘guix copy’ command to copy a set of store files (and their
    dependencies) between two machines (similar to ‘nix-copy-closure’);

  - a daemon “build hook” to automatically off-load builds to remote
    machines (see <http://nixos.org/nix/manual/#chap-distributed-builds>
    for an overview.)

The practical goal is to have an additional Intel build machine, and
ideally a mips64 build machine hooked up into Hydra by the end of
January.

As usual, feedback welcome!

Ludo’.

pgpBXhyyYGHGT.pgp
Description: PGP signature