4 files changed, 42 insertions, 13 deletions

diff --git a/guix/scripts/environment.scm b/guix/scripts/environment.scm
index 5965e3426e..86e1eb115f 100644
--- a/guix/scripts/environment.scm
+++ b/guix/scripts/environment.scm
@@ -162,6 +162,8 @@ COMMAND or an interactive shell in that environment.\n"))
   (newline)
   (show-build-options-help)
   (newline)
+  (show-transformation-options-help)
+  (newline)
   (display (G_ "
   -h, --help             display this help and exit"))
   (display (G_ "
@@ -261,7 +263,9 @@ COMMAND or an interactive shell in that environment.\n"))
          (option '("bootstrap") #f #f
                  (lambda (opt name arg result)
                    (alist-cons 'bootstrap? #t result)))
-         %standard-build-options))
+
+         (append %transformation-options
+                 %standard-build-options)))
 
 (define (pick-all alist key)
   "Return a list of values in ALIST associated with KEY."
@@ -274,7 +278,7 @@ COMMAND or an interactive shell in that environment.\n"))
             (_ memo)))
         '() alist))
 
-(define (options/resolve-packages opts)
+(define (options/resolve-packages store opts)
   "Return OPTS with package specification strings replaced by manifest entries
 for the corresponding packages."
   (define (manifest-entry=? e1 e2)
@@ -282,15 +286,21 @@ for the corresponding packages."
          (string=? (manifest-entry-output e1)
                    (manifest-entry-output e2))))
 
+  (define transform
+    (cut (options->transformation opts) store <>))
+
+  (define* (package->manifest-entry* package #:optional (output "out"))
+    (package->manifest-entry (transform package) output))
+
   (define (packages->outputs packages mode)
     (match packages
       ((? package? package)
        (if (eq? mode 'ad-hoc-package)
-           (list (package->manifest-entry package))
+           (list (package->manifest-entry* package))
            (package-environment-inputs package)))
       (((? package? package) (? string? output))
        (if (eq? mode 'ad-hoc-package)
-           (list (package->manifest-entry package output))
+           (list (package->manifest-entry* package output))
            (package-environment-inputs package)))
       ((lst ...)
        (append-map (cut packages->outputs <> mode) lst))))
@@ -301,7 +311,7 @@ for the corresponding packages."
                   (('package 'ad-hoc-package (? string? spec))
                    (let-values (((package output)
                                  (specification->package+output spec)))
-                     (list (package->manifest-entry package output))))
+                     (list (package->manifest-entry* package output))))
                   (('package 'package (? string? spec))
                    (package-environment-inputs
                     (specification->package+output spec)))
@@ -364,8 +374,8 @@ requisite store items i.e. the union closure of all the inputs."
        ((? direct-store-path? path)
         (list path)))))
 
-  (mlet %store-monad ((reqs (sequence %store-monad
-                                      (map input->requisites inputs))))
+  (mlet %store-monad ((reqs (mapm %store-monad
+                                  input->requisites inputs)))
     (return (delete-duplicates (concatenate reqs)))))
 
 (define (status->exit-code status)
@@ -654,7 +664,6 @@ message if any test fails."
                                ;; within the container.
                                '("/bin/sh")
                                (list %default-shell))))
-           (manifest   (options/resolve-packages opts))
            (mappings   (pick-all opts 'file-system-mapping)))
 
       (when container? (assert-container-features))
@@ -666,6 +675,9 @@ message if any test fails."
 
       (with-store store
         (with-status-report print-build-event
+          (define manifest
+            (options/resolve-packages store opts))
+
           (set-build-options-from-command-line store opts)
 
           ;; Use the bootstrap Guile when requested.
diff --git a/guix/scripts/publish.scm b/guix/scripts/publish.scm
index c5326b33da..a236f3e45c 100644
--- a/guix/scripts/publish.scm
+++ b/guix/scripts/publish.scm
@@ -537,14 +537,19 @@ requested using POOL."
         (not-found request))))
 
 (define* (render-nar/cached store cache request store-item
-                            #:key (compression %no-compression))
+                            #:key ttl (compression %no-compression))
   "Respond to REQUEST with a nar for STORE-ITEM.  If the nar is in CACHE,
-return it; otherwise, return 404."
+return it; otherwise, return 404.  When TTL is true, use it as the
+'Cache-Control' expiration time."
   (let ((cached (nar-cache-file cache store-item
                                 #:compression compression)))
     (if (file-exists? cached)
         (values `((content-type . (application/octet-stream
                                    (charset . "ISO-8859-1")))
+                  ,@(if ttl
+                        `((cache-control (max-age . ,ttl)))
+                        '())
+
                   ;; XXX: We're not returning the actual contents, deferring
                   ;; instead to 'http-write'.  This is a hack to work around
                   ;; <http://bugs.gnu.org/21093>.
@@ -819,6 +824,7 @@ blocking."
                                      %default-gzip-compression))))
                  (if cache
                      (render-nar/cached store cache request store-item
+                                        #:ttl narinfo-ttl
                                         #:compression compression)
                      (render-nar store request store-item
                                  #:compression compression)))
@@ -829,6 +835,7 @@ blocking."
            (if (nar-path? components)
                (if cache
                    (render-nar/cached store cache request store-item
+                                      #:ttl narinfo-ttl
                                       #:compression %no-compression)
                    (render-nar store request store-item
                                #:compression %no-compression))
diff --git a/guix/scripts/substitute.scm b/guix/scripts/substitute.scm
index d6dc9b6448..53b1777241 100755
--- a/guix/scripts/substitute.scm
+++ b/guix/scripts/substitute.scm
@@ -392,12 +392,21 @@ No authentication and authorization checks are performed here!"
 (define (narinfo-sha256 narinfo)
   "Return the sha256 hash of NARINFO as a bytevector, or #f if NARINFO lacks a
 'Signature' field."
+  (define %mandatory-fields
+    ;; List of fields that must be signed.  If they are not signed, the
+    ;; narinfo is considered unsigned.
+    '("StorePath" "NarHash" "References"))
+
   (let ((contents (narinfo-contents narinfo)))
     (match (string-contains contents "Signature:")
       (#f #f)
       (index
-       (let ((above-signature (string-take contents index)))
-         (sha256 (string->utf8 above-signature)))))))
+       (let* ((above-signature (string-take contents index))
+              (signed-fields (match (call-with-input-string above-signature
+                                      fields->alist)
+                               (((fields . values) ...) fields))))
+         (and (every (cut member <> signed-fields) %mandatory-fields)
+              (sha256 (string->utf8 above-signature))))))))
 
 (define* (valid-narinfo? narinfo #:optional (acl (current-acl))
                          #:key verbose?)
diff --git a/guix/scripts/system.scm b/guix/scripts/system.scm
index 8eb32c62bc..6cda3ccbd6 100644
--- a/guix/scripts/system.scm
+++ b/guix/scripts/system.scm
@@ -993,7 +993,8 @@ Some ACTIONS support additional ARGS.\n"))
                          instead of reading FILE, when applicable"))
   (display (G_ "
       --on-error=STRATEGY
-                         apply STRATEGY when an error occurs while reading FILE"))
+                         apply STRATEGY (one of nothing-special, backtrace,
+                         or debug) when an error occurs while reading FILE"))
   (display (G_ "
       --file-system-type=TYPE
                          for 'disk-image', produce a root file system of TYPE