authenticate: Support reading the hash or key from stdin.
* guix/scripts/authenticate.scm (guix-authenticate): Add clauses
for ("rsautl" "-sign" "-inkey" key) and ("rsautl" "-verify" "-inkey" _
"-pubin").
* tests/guix-authenticate.sh (hash): Add test using -sign and -verify in
a pipeline.
This commit is contained in:
Ludovic Courtès
parent
9dbe6e43ea
commit
9b0a2233db
2 changed files with 20 additions and 1 deletions
|
|
@ -90,14 +90,22 @@ to stdout upon success."
|
||||||
|
|
||||||
(define (guix-authenticate . args)
|
(define (guix-authenticate . args)
|
||||||
(match args
|
(match args
|
||||||
|
;; As invoked by guix-daemon.
|
||||||
(("rsautl" "-sign" "-inkey" key "-in" hash-file)
|
(("rsautl" "-sign" "-inkey" key "-in" hash-file)
|
||||||
(call-with-input-file hash-file
|
(call-with-input-file hash-file
|
||||||
(lambda (port)
|
(lambda (port)
|
||||||
(sign-with-key key port))))
|
(sign-with-key key port))))
|
||||||
|
;; As invoked by Nix/Crypto.pm (used by Hydra.)
|
||||||
|
(("rsautl" "-sign" "-inkey" key)
|
||||||
|
(sign-with-key key (current-input-port)))
|
||||||
|
;; As invoked by guix-daemon.
|
||||||
(("rsautl" "-verify" "-inkey" _ "-pubin" "-in" signature-file)
|
(("rsautl" "-verify" "-inkey" _ "-pubin" "-in" signature-file)
|
||||||
(call-with-input-file signature-file
|
(call-with-input-file signature-file
|
||||||
(lambda (port)
|
(lambda (port)
|
||||||
(validate-signature port))))
|
(validate-signature port))))
|
||||||
|
;; As invoked by Nix/Crypto.pm (used by Hydra.)
|
||||||
|
(("rsautl" "-verify" "-inkey" _ "-pubin")
|
||||||
|
(validate-signature (current-input-port)))
|
||||||
(("--help")
|
(("--help")
|
||||||
(display (_ "Usage: guix authenticate OPTION...
|
(display (_ "Usage: guix authenticate OPTION...
|
||||||
Sign or verify the signature on the given file. This tool is meant to
|
Sign or verify the signature on the given file. This tool is meant to
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
# GNU Guix --- Functional package management for GNU
|
# GNU Guix --- Functional package management for GNU
|
||||||
# Copyright © 2013 Ludovic Courtès <ludo@gnu.org>
|
# Copyright © 2013, 2014 Ludovic Courtès <ludo@gnu.org>
|
||||||
#
|
#
|
||||||
# This file is part of GNU Guix.
|
# This file is part of GNU Guix.
|
||||||
#
|
#
|
||||||
|
|
@ -42,6 +42,17 @@ hash2="`guix authenticate rsautl -verify \
|
||||||
-pubin -in $sig`"
|
-pubin -in $sig`"
|
||||||
test "$hash2" = `cat "$hash"`
|
test "$hash2" = `cat "$hash"`
|
||||||
|
|
||||||
|
# Same thing in a pipeline, using the command line syntax that Nix/Crypto.pm
|
||||||
|
# uses.
|
||||||
|
hash2="` \
|
||||||
|
cat "$hash" \
|
||||||
|
| guix authenticate rsautl -sign \
|
||||||
|
-inkey "$abs_top_srcdir/tests/signing-key.sec" \
|
||||||
|
| guix authenticate rsautl -verify \
|
||||||
|
-inkey $abs_top_srcdir/tests/signing-key.pub \
|
||||||
|
-pubin`"
|
||||||
|
test "$hash2" = `cat "$hash"`
|
||||||
|
|
||||||
# Detect corrupt signatures.
|
# Detect corrupt signatures.
|
||||||
if guix authenticate rsautl -verify \
|
if guix authenticate rsautl -verify \
|
||||||
-inkey "$abs_top_srcdir/tests/signing-key.pub" \
|
-inkey "$abs_top_srcdir/tests/signing-key.pub" \
|
||||||
|
|
|
||||||
Reference in a new issue