From 6dd8ffc57420ee2f6f19e79e41028e78fe9e6a7e Mon Sep 17 00:00:00 2001
From: Ludovic Courtès <ludo@gnu.org>
Date: Tue, 8 Sep 2020 15:00:29 +0200
Subject: daemon: Simplify interface with 'guix authenticate'.

There's no reason at this point to mimic the calling convention of the
'openssl' command.

* nix/libstore/local-store.cc (LocalStore::exportPath): Add only "sign"
and HASH to ARGS.  Remove 'tmpDir' and 'hashFile'.
(LocalStore::importPath): Add only "verify" and SIGNATURE to
* guix/scripts/authenticate.scm (guix-authenticate): Adjust
accordingly; remove the OpenSSL-style clauses.
(read-hash-data): Remove.
(sign-with-key): Replace 'port' with 'sha256' and adjust accordingly.
(validate-signature): Export SIGNATURE to be a canonical sexp.
* tests/guix-authenticate.sh: Adjust tests accordingly.
---
 nix/libstore/local-store.cc | 19 +++----------------
 1 file changed, 3 insertions(+), 16 deletions(-)

(limited to 'nix')

diff --git a/nix/libstore/local-store.cc b/nix/libstore/local-store.cc
index 7a520925e5..e6badd3721 100644
--- a/nix/libstore/local-store.cc
+++ b/nix/libstore/local-store.cc
@@ -1277,21 +1277,13 @@ void LocalStore::exportPath(const Path & path, bool sign,
 
         writeInt(1, hashAndWriteSink);
 
-        Path tmpDir = createTempDir();
-        AutoDelete delTmp(tmpDir);
-        Path hashFile = tmpDir + "/hash";
-        writeFile(hashFile, printHash(hash));
-
         Path secretKey = settings.nixConfDir + "/signing-key.sec";
         checkSecrecy(secretKey);
 
         Strings args;
-        args.push_back("rsautl");
-        args.push_back("-sign");
-        args.push_back("-inkey");
+        args.push_back("sign");
         args.push_back(secretKey);
-        args.push_back("-in");
-        args.push_back(hashFile);
+        args.push_back(printHash(hash));
 
         string signature = runAuthenticationProgram(args);
 
@@ -1376,12 +1368,7 @@ Path LocalStore::importPath(bool requireSignature, Source & source)
             writeFile(sigFile, signature);
 
             Strings args;
-            args.push_back("rsautl");
-            args.push_back("-verify");
-            args.push_back("-inkey");
-            args.push_back(settings.nixConfDir + "/signing-key.pub");
-            args.push_back("-pubin");
-            args.push_back("-in");
+            args.push_back("verify");
             args.push_back(sigFile);
             string hash2 = runAuthenticationProgram(args);
 
-- 
cgit v1.2.3