[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#33733: Irrelevant narinfo signatures are honored
From: |
Ludovic Courtès |
Subject: |
bug#33733: Irrelevant narinfo signatures are honored |
Date: |
Fri, 14 Dec 2018 00:39:55 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) |
Ludovic Courtès <address@hidden> skribis:
> The problem is that ‘guix substitute’ will accept such narinfos (when
> they are signed by an authorized key), even though the signature doesn’t
> cover the important parts (namely: StorePath, NarHash, and References;
> the rest is mostly informative.) A fix is attached with tests that
> illustrate the problem.
I pushed the fix as 60b04024f8823192b74c1ed5b14f318049865ac7 and an
update of the ‘guix’ package as
7ef64ec8476e9f13262d7755aff27c97dd2cd683.
I encourage you to upgrade your daemon.
Ludo’.