File: fetchGitVerification.sh

package info (click to toggle)
nix 2.32.5%2Bdfsg-2
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 14,144 kB
  • sloc: cpp: 99,127; sh: 10,241; perl: 689; yacc: 488; xml: 410; javascript: 383; lex: 333; ansic: 163; python: 135; sql: 56; makefile: 33; exp: 5; ruby: 1
file content (85 lines) | stat: -rwxr-xr-x 2,584 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
 
#!/usr/bin/env bash

source common.sh

requireGit
[[ $(type -p ssh-keygen) ]] || skipTest "ssh-keygen not installed" # require ssh-keygen

enableFeatures "verified-fetches"

clearStoreIfPossible

repo="$TEST_ROOT/git"

# generate signing keys
keysDir=$TEST_ROOT/.ssh
mkdir -p "$keysDir"
ssh-keygen -f "$keysDir/testkey1" -t ed25519 -P "" -C "test key 1"
key1File="$keysDir/testkey1.pub"
publicKey1=$(awk '{print $2}' "$key1File")
ssh-keygen -f "$keysDir/testkey2" -t rsa -P "" -C "test key 2"
key2File="$keysDir/testkey2.pub"
publicKey2=$(awk '{print $2}' "$key2File")

git init "$repo"
git -C "$repo" config user.email "foobar@example.com"
git -C "$repo" config user.name "Foobar"
git -C "$repo" config gpg.format ssh

echo 'hello' > "$repo"/text
git -C "$repo" add text
git -C "$repo" -c "user.signingkey=$key1File" commit -S -m 'initial commit'

out=$(nix eval --impure --raw --expr "builtins.fetchGit { url = \"file://$repo\"; keytype = \"ssh-rsa\"; publicKey = \"$publicKey2\"; }" 2>&1) || status=$?
[[ $status == 1 ]]
[[ $out == *'No principal matched.'* ]]
[[ $(nix eval --impure --raw --expr "builtins.readFile (builtins.fetchGit { url = \"file://$repo\"; publicKey = \"$publicKey1\"; } + \"/text\")") = 'hello' ]]

echo 'hello world' > "$repo"/text

# Verification on a dirty repo should fail.
out=$(nix eval --impure --raw --expr "builtins.fetchGit { url = \"file://$repo\"; keytype = \"ssh-rsa\"; publicKey = \"$publicKey2\"; }" 2>&1) || status=$?
[[ $status == 1 ]]
[[ $out =~ 'dirty' ]]

git -C "$repo" add text
git -C "$repo" -c "user.signingkey=$key2File" commit -S -m 'second commit'

[[ $(nix eval --impure --raw --expr "builtins.readFile (builtins.fetchGit { url = \"file://$repo\"; publicKeys = [{key = \"$publicKey1\";} {type = \"ssh-rsa\"; key = \"$publicKey2\";}]; } + \"/text\")") = 'hello world' ]]

# Flake input test
flakeDir="$TEST_ROOT/flake"
mkdir -p "$flakeDir"
cat > "$flakeDir/flake.nix" <<EOF
{
  inputs.test = {
    type = "git";
    url = "file://$repo";
    flake = false;
    publicKeys = [
      { type = "ssh-rsa"; key = "$publicKey2"; }
    ];
  };

  outputs = { test, ... }: { test = test.outPath; };
}
EOF
nix build --out-link "$flakeDir/result" "$flakeDir#test"
[[ $(cat "$flakeDir/result/text") = 'hello world' ]]

cat > "$flakeDir/flake.nix" <<EOF
{
  inputs.test = {
    type = "git";
    url = "file://$repo";
    flake = false;
    publicKey= "$publicKey1";
  };

  outputs = { test, ... }: { test = test.outPath; };
}
EOF
out=$(nix build "$flakeDir#test" 2>&1) || status=$?

[[ $status == 1 ]]
[[ $out == *'No principal matched.'* ]]