[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Signed archive export/import

From: Ludovic Courtès
Subject: Re: Signed archive export/import
Date: Fri, 10 Jan 2014 14:21:46 +0100
User-agent: Gnus/5.130007 (Ma Gnus v0.7) Emacs/24.3 (gnu/linux)

address@hidden (Ludovic Courtès) skribis:

> address@hidden (Ludovic Courtès) skribis:
>> The good news is that, with a bit of work in (guix nar),
>> ‘substitute-binary’ will be able to use that mechanism too.  So we can
>> change Hydra to always sign its archives (simple), and
>> ‘substitute-binary’ to always check signatures and check the signer
>> against the ACL.  The users can choose whether or not to add
>>’s public key to their ACL.
> It turns out that changing Hydra to always sign is not as simple as I
> initially thought, because it doesn’t export archives via the
> ‘export-paths’ RPC (the one that knows how to sign them.)
> So we’re back to discussing another approach with the (apparently
> unmotivated) Hydra folks, probably adding a ‘Signature’ field to the
> .narinfo files (see
> <> and
> <>.)

Good news: Eelco Dolstra (of Nix) implemented what he had in mind in
Hydra and Nix’s substituter (thanks!):

So what we need to do now is to adjust substitute-binary.scm to handle
these signatures, and to make sure Hydra can use ‘guix authenticate’
instead of ‘openssl’.

I’ll look into it when I’m done with offload support, but I’m happy to
discuss it further if someone else wants to give it a go!


reply via email to

[Prev in Thread] Current Thread [Next in Thread]