libstore/local-store: perform remote signing if available

If remote signing is available, remotely sign realisations and path infos.
NixOS · Sep 30, 2023 · a71db16 · a71db16
1 parent 5e67966
commit a71db16
Showing 1 changed file with 15 additions and 2 deletions.
diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc
@@ -1802,23 +1802,36 @@ void LocalStore::signRealisation(Realisation & realisation)
     // FIXME: keep secret keys in memory.
 
     auto secretKeyFiles = settings.secretKeyFiles;
+    auto remoteSigningUrls = settings.remoteSigningUrls;
 
     for (auto & secretKeyFile : secretKeyFiles.get()) {
         SecretKey secretKey(readFile(secretKeyFile));
         LocalSigner signer(std::move(secretKey));
         realisation.sign(signer);
     }
+
+    for (auto & remoteSigningUrl : remoteSigningUrls.get()) {
+        RemoteSigner signer(remoteSigningUrl);
+        realisation.sign(signer);
+    }
 }
 
 void LocalStore::signPathInfo(ValidPathInfo & info)
 {
-    // FIXME: keep secret keys in memory.
+    // FIXME: keep secret keys in memory
 
+    auto remoteSigningUrls = settings.remoteSigningUrls;
     auto secretKeyFiles = settings.secretKeyFiles;
 
     for (auto & secretKeyFile : secretKeyFiles.get()) {
         SecretKey secretKey(readFile(secretKeyFile));
-        info.sign(*this, secretKey);
+        LocalSigner signer(std::move(secretKey));
+        info.sign(*this, signer);
+    }
+
+    for (auto & remoteSigningUrl : remoteSigningUrls.get()) {
+        RemoteSigner signer(remoteSigningUrl);
+        info.sign(*this, signer);
     }
 }