NixOS · Nov 20, 2017 · Nov 20, 2017 · Nov 20, 2017 · Nov 20, 2017 · Nov 20, 2017
diff --git a/doc/manual/command-ref/conf-file.xml b/doc/manual/command-ref/conf-file.xml
@@ -402,21 +402,24 @@ false</literal>.</para>
   </varlistentry>
 
 
-  <varlistentry><term><literal>signed-binary-caches</literal></term>
+  <varlistentry><term><literal>require-sigs</literal></term>
 
-    <listitem><para>If set to <literal>*</literal> (the default), Nix
-    will only download binaries if they are signed using one of the
-    keys listed in <option>binary-cache-public-keys</option>. Set to
-    the empty string to disable signature checking.</para></listitem>
+    <listitem><para>If set to <literal>true</literal> (the default),
+    any non-content-addressed path added or copied to the Nix store
+    (e.g. when substituting from a binary cache) must have a valid
+    signature, that is, be signed using one of the keys listed in
+    <option>trusted-public-keys</option>. Set to
+    <literal>false</literal> to disable signature
+    checking.</para></listitem>
 
   </varlistentry>
 
 
-  <varlistentry><term><literal>binary-cache-public-keys</literal></term>
+  <varlistentry><term><literal>trusted-public-keys</literal></term>
 
-    <listitem><para>A whitespace-separated list of public keys
-    corresponding to the secret keys trusted to sign binary
-    caches. For example:
+    <listitem><para>A whitespace-separated list of public keys. When
+    paths are copied from another Nix store (such as a binary cache),
+    they must be signed with one of these keys. For example:
     <literal>cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
     hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=</literal>.</para></listitem>
 

diff --git a/scripts/install-darwin-multi-user.sh b/scripts/install-darwin-multi-user.sh
@@ -747,14 +747,6 @@ build-users-group = $NIX_BUILD_GROUP_NAME
 max-jobs = $NIX_USER_COUNT
 cores = 1
 sandbox = false
-
-binary-caches = https://cache.nixos.org/
-trusted-binary-caches =
-binary-cache-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
-signed-binary-caches = *
-
-trusted-users = root
-allowed-users = *
 EOF
     _sudo "to place the default nix daemon configuration (part 2)" \
           install -m 0664 "$SCRATCH/nix.conf" /etc/nix/nix.conf

diff --git a/src/libstore/crypto.cc b/src/libstore/crypto.cc
@@ -105,7 +105,7 @@ PublicKeys getDefaultPublicKeys()
 
     // FIXME: filter duplicates
 
-    for (auto s : settings.binaryCachePublicKeys.get()) {
+    for (auto s : settings.trustedPublicKeys.get()) {
         PublicKey key(s);
         publicKeys.emplace(key.name, key);
     }

diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
@@ -259,10 +259,11 @@ public:
     Setting<bool> enforceDeterminism{this, true, "enforce-determinism",
         "Whether to fail if repeated builds produce different output."};
 
-    Setting<Strings> binaryCachePublicKeys{this,
+    Setting<Strings> trustedPublicKeys{this,
         {"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="},
-        "binary-cache-public-keys",
-        "Trusted public keys for secure substitution."};
+        "trusted-public-keys",
+        "Trusted public keys for secure substitution.",
+        {"binary-cache-public-keys"}};
 
     Setting<Strings> secretKeyFiles{this, {}, "secret-key-files",
         "Secret keys with which to sign local builds."};
@@ -280,6 +281,11 @@ public:
     Setting<std::string> signedBinaryCaches{this, "*", "signed-binary-caches",
         "Obsolete."};
 
+    Setting<bool> requireSigs{this, signedBinaryCaches == "*", "require-sigs",
+        "Whether to check that any non-content-addressed path added to the "
+        "Nix store has a valid signature (that is, one signed using a key "
+        "listed in 'trusted-public-keys'."};
+
     Setting<Strings> substituters{this,
         nixStore == "/nix/store" ? Strings{"https://cache.nixos.org/"} : Strings(),
         "substituters",

diff --git a/src/libstore/local-store.hh b/src/libstore/local-store.hh
@@ -97,7 +97,7 @@ public:
 private:
 
     Setting<bool> requireSigs{(Store*) this,
-        settings.signedBinaryCaches != "", // FIXME
+        settings.requireSigs,
         "require-sigs", "whether store paths should have a trusted signature on import"};
 
     PublicKeys publicKeys;

diff --git a/src/libutil/util.cc b/src/libutil/util.cc
@@ -221,9 +221,9 @@ Path readLink(const Path & path)
         ssize_t rlSize = readlink(path.c_str(), buf, bufSize);
         if (rlSize == -1)
             if (errno == EINVAL)
-                throw Error(format("'%1%' is not a symlink") % path);
+                throw Error("'%1%' is not a symlink", path);
             else
-                throw SysError(format("reading symbolic link '%1%'") % path);
+                throw SysError("reading symbolic link '%1%'", path);
         else if (rlSize < bufSize)
             return string(buf, rlSize);
     }

diff --git a/src/nix/run.cc b/src/nix/run.cc
@@ -184,7 +184,7 @@ void chrootHelper(int argc, char * * argv)
        but that doesn't work in a user namespace yet (Ubuntu has a
        patch for this:
        https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1478578). */
-    if (true /* !pathExists(storeDir) */) {
+    if (!pathExists(storeDir)) {
         // FIXME: Use overlayfs?
 
         Path tmpDir = createTempDir();
@@ -195,12 +195,15 @@ void chrootHelper(int argc, char * * argv)
             throw SysError("mounting '%s' on '%s'", realStoreDir, storeDir);
 
         for (auto entry : readDirectory("/")) {
+            auto src = "/" + entry.name;
+            auto st = lstat(src);
+            if (!S_ISDIR(st.st_mode)) continue;
             Path dst = tmpDir + "/" + entry.name;
             if (pathExists(dst)) continue;
             if (mkdir(dst.c_str(), 0700) == -1)
-                throw SysError(format("creating directory '%s'") % dst);
-            if (mount(("/" + entry.name).c_str(), dst.c_str(), "", MS_BIND | MS_REC, 0) == -1)
-                throw SysError(format("mounting '%s' on '%s'") %  ("/" + entry.name) % dst);
+                throw SysError("creating directory '%s'", dst);
+            if (mount(src.c_str(), dst.c_str(), "", MS_BIND | MS_REC, 0) == -1)
+                throw SysError("mounting '%s' on '%s'", src, dst);
         }
 
         char * cwd = getcwd(0, 0);

diff --git a/tests/binary-cache.sh b/tests/binary-cache.sh
@@ -16,9 +16,9 @@ basicTests() {
     clearStore
     clearCacheCache
 
-    nix-env --option binary-caches "file://$cacheDir" -f dependencies.nix -qas \* | grep -- "---"
+    nix-env --substituters "file://$cacheDir" -f dependencies.nix -qas \* | grep -- "---"
 
-    nix-store --option binary-caches "file://$cacheDir" --option signed-binary-caches '' -r $outPath
+    nix-store --substituters "file://$cacheDir" --no-require-sigs -r $outPath
 
     [ -x $outPath/program ]
 
@@ -28,13 +28,13 @@ basicTests() {
     clearCacheCache
     echo "WantMassQuery: 1" >> $cacheDir/nix-cache-info
 
-    nix-env --option binary-caches "file://$cacheDir" -f dependencies.nix -qas \* | grep -- "--S"
-    nix-env --option binary-caches "file://$cacheDir" -f dependencies.nix -qas \* | grep -- "--S"
+    nix-env --substituters "file://$cacheDir" -f dependencies.nix -qas \* | grep -- "--S"
+    nix-env --substituters "file://$cacheDir" -f dependencies.nix -qas \* | grep -- "--S"
 
     x=$(nix-env -f dependencies.nix -qas \* --prebuilt-only)
     [ -z "$x" ]
 
-    nix-store --option binary-caches "file://$cacheDir" --option signed-binary-caches '' -r $outPath
+    nix-store --substituters "file://$cacheDir" --no-require-sigs -r $outPath
 
     nix-store --check-validity $outPath
     nix-store -qR $outPath | grep input-2
@@ -63,7 +63,7 @@ mv $nar $nar.good
 mkdir -p $TEST_ROOT/empty
 nix-store --dump $TEST_ROOT/empty | xz > $nar
 
-nix-build --option binary-caches "file://$cacheDir" --option signed-binary-caches '' dependencies.nix -o $TEST_ROOT/result 2>&1 | tee $TEST_ROOT/log
+nix-build --substituters "file://$cacheDir" --no-require-sigs dependencies.nix -o $TEST_ROOT/result 2>&1 | tee $TEST_ROOT/log
 grep -q "hash mismatch" $TEST_ROOT/log
 
 mv $nar.good $nar
@@ -73,7 +73,7 @@ mv $nar.good $nar
 clearStore
 clearCacheCache
 
-if nix-store --option binary-caches "file://$cacheDir" -r $outPath; then
+if nix-store --substituters "file://$cacheDir" -r $outPath; then
     echo "unsigned binary cache incorrectly accepted"
     exit 1
 fi
@@ -83,12 +83,12 @@ fi
 # corresponding NAR has disappeared.
 clearStore
 
-nix-build --option binary-caches "file://$cacheDir" dependencies.nix --dry-run # get info
+nix-build --substituters "file://$cacheDir" dependencies.nix --dry-run # get info
 
 mkdir $cacheDir/tmp
 mv $cacheDir/*.nar* $cacheDir/tmp/
 
-NIX_DEBUG_SUBST=1 nix-build --option binary-caches "file://$cacheDir" dependencies.nix -o $TEST_ROOT/result --fallback
+NIX_DEBUG_SUBST=1 nix-build --substituters "file://$cacheDir" dependencies.nix -o $TEST_ROOT/result --fallback
 
 mv $cacheDir/tmp/* $cacheDir/
 
@@ -99,7 +99,7 @@ clearStore
 
 rm $(grep -l "StorePath:.*dependencies-input-2" $cacheDir/*.narinfo)
 
-nix-build --option binary-caches "file://$cacheDir" --option signed-binary-caches '' dependencies.nix -o $TEST_ROOT/result 2>&1 | tee $TEST_ROOT/log
+nix-build --substituters "file://$cacheDir" --no-require-sigs dependencies.nix -o $TEST_ROOT/result 2>&1 | tee $TEST_ROOT/log
 grep -q "copying path" $TEST_ROOT/log
 
 
@@ -124,18 +124,18 @@ nix copy --to file://$cacheDir?secret-key=$TEST_ROOT/sk1 $outPath
 clearStore
 clearCacheCache
 
-(! nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' )
+(! nix-store -r $outPath --substituters "file://$cacheDir")
 
 
 # And it should fail if we provide an incorrect key.
 clearStore
 clearCacheCache
 
-(! nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' --option binary-cache-public-keys "$badKey")
+(! nix-store -r $outPath --substituters "file://$cacheDir" --trusted-public-keys "$badKey")
 
 
 # It should succeed if we provide the correct key.
-nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' --option binary-cache-public-keys "$otherKey $publicKey"
+nix-store -r $outPath --substituters "file://$cacheDir" --trusted-public-keys "$otherKey $publicKey"
 
 
 # It should fail if we corrupt the .narinfo.
@@ -152,10 +152,10 @@ done
 
 clearCacheCache
 
-(! nix-store -r $outPath --option binary-caches "file://$cacheDir2" --option signed-binary-caches '*' --option binary-cache-public-keys "$publicKey")
+(! nix-store -r $outPath --substituters "file://$cacheDir2" --trusted-public-keys "$publicKey")
 
 # If we provide a bad and a good binary cache, it should succeed.
 
-nix-store -r $outPath --option binary-caches "file://$cacheDir2 file://$cacheDir" --option signed-binary-caches '*' --option binary-cache-public-keys "$publicKey"
+nix-store -r $outPath --substituters "file://$cacheDir2 file://$cacheDir" --trusted-public-keys "$publicKey"
 
 fi # HAVE_LIBSODIUM
diff --git a/tests/fetchurl.sh b/tests/fetchurl.sh
@@ -5,7 +5,7 @@ clearStore
 # Test fetching a flat file.
 hash=$(nix-hash --flat --type sha256 ./fetchurl.sh)
 
-outPath=$(nix-build '<nix/fetchurl.nix>' --argstr url file://$(pwd)/fetchurl.sh --argstr sha256 $hash --no-out-link --option hashed-mirrors '')
+outPath=$(nix-build '<nix/fetchurl.nix>' --argstr url file://$(pwd)/fetchurl.sh --argstr sha256 $hash --no-out-link --hashed-mirrors '')
 
 cmp $outPath fetchurl.sh
 
@@ -14,7 +14,7 @@ clearStore
 
 hash=$(nix hash-file --type sha512 --base64 ./fetchurl.sh)
 
-outPath=$(nix-build '<nix/fetchurl.nix>' --argstr url file://$(pwd)/fetchurl.sh --argstr sha512 $hash --no-out-link --option hashed-mirrors '')
+outPath=$(nix-build '<nix/fetchurl.nix>' --argstr url file://$(pwd)/fetchurl.sh --argstr sha512 $hash --no-out-link --hashed-mirrors '')
 
 cmp $outPath fetchurl.sh
 
@@ -29,7 +29,7 @@ rm -rf $mirror
 mkdir -p $mirror/sha512
 ln -s $(pwd)/fetchurl.sh $mirror/sha512/$hash32
 
-outPath=$(nix-build '<nix/fetchurl.nix>' --argstr url file:///no-such-dir/fetchurl.sh --argstr sha512 $hash --no-out-link --option hashed-mirrors "file://$mirror")
+outPath=$(nix-build '<nix/fetchurl.nix>' --argstr url file:///no-such-dir/fetchurl.sh --argstr sha512 $hash --no-out-link --hashed-mirrors "file://$mirror")
 
 # Test unpacking a NAR.
 rm -rf $TEST_ROOT/archive

diff --git a/tests/linux-sandbox.sh b/tests/linux-sandbox.sh
@@ -16,7 +16,7 @@ rm -rf $TEST_ROOT/store0
 export NIX_STORE_DIR=/my/store
 export NIX_REMOTE=$TEST_ROOT/store0
 
-outPath=$(nix-build dependencies.nix --no-out-link --option sandbox-paths /nix/store)
+outPath=$(nix-build dependencies.nix --no-out-link --sandbox-paths /nix/store)
 
 [[ $outPath =~ /my/store/.*-dependencies ]]
 

diff --git a/tests/logging.sh b/tests/logging.sh
@@ -11,5 +11,5 @@ path=$(nix-build dependencies.nix --no-out-link)
 clearStore
 rm -rf $NIX_LOG_DIR
 (! nix-store -l $path)
-nix-build dependencies.nix --no-out-link --option compress-build-log true
+nix-build dependencies.nix --no-out-link --compress-build-log
 [ "$(nix-store -l $path)" = FOO ]
diff --git a/tests/multiple-outputs.sh b/tests/multiple-outputs.sh
@@ -59,5 +59,5 @@ fi
 
 echo "collecting garbage..."
 rm $TEST_ROOT/result*
-nix-store --gc --option keep-derivations true --option keep-outputs true
+nix-store --gc --keep-derivations --keep-outputs
 nix-store --gc --print-roots
diff --git a/tests/optimise-store.sh b/tests/optimise-store.sh
@@ -2,8 +2,8 @@ source common.sh
 
 clearStore
 
-outPath1=$(echo 'with import ./config.nix; mkDerivation { name = "foo1"; builder = builtins.toFile "builder" "mkdir $out; echo hello > $out/foo"; }' | nix-build - --no-out-link --option auto-optimise-store true)
-outPath2=$(echo 'with import ./config.nix; mkDerivation { name = "foo2"; builder = builtins.toFile "builder" "mkdir $out; echo hello > $out/foo"; }' | nix-build - --no-out-link --option auto-optimise-store true)
+outPath1=$(echo 'with import ./config.nix; mkDerivation { name = "foo1"; builder = builtins.toFile "builder" "mkdir $out; echo hello > $out/foo"; }' | nix-build - --no-out-link --auto-optimise-store)
+outPath2=$(echo 'with import ./config.nix; mkDerivation { name = "foo2"; builder = builtins.toFile "builder" "mkdir $out; echo hello > $out/foo"; }' | nix-build - --no-out-link --auto-optimise-store)
 
 inode1="$(stat --format=%i $outPath1/foo)"
 inode2="$(stat --format=%i $outPath2/foo)"

diff --git a/tests/repair.sh b/tests/repair.sh
@@ -51,7 +51,7 @@ nix copy --to file://$cacheDir $path
 chmod u+w $path2
 rm -rf $path2
 
-nix-store --verify --check-contents --repair --option binary-caches "file://$cacheDir" --option signed-binary-caches ''
+nix-store --verify --check-contents --repair --substituters "file://$cacheDir" --no-require-sigs
 
 if [ "$(nix-hash $path2)" != "$hash" -o -e $path2/bad ]; then
     echo "path not repaired properly" >&2
@@ -69,7 +69,7 @@ if nix-store --verify-path $path2; then
     exit 1
 fi
 
-nix-store --repair-path $path2 --option binary-caches "file://$cacheDir" --option signed-binary-caches ''
+nix-store --repair-path $path2 --substituters "file://$cacheDir" --no-require-sigs
 
 if [ "$(nix-hash $path2)" != "$hash" -o -e $path2/bad ]; then
     echo "path not repaired properly" >&2

diff --git a/tests/restricted.sh b/tests/restricted.sh
@@ -2,19 +2,19 @@ source common.sh
 
 clearStore
 
-nix-instantiate --option restrict-eval true --eval -E '1 + 2'
-(! nix-instantiate --option restrict-eval true ./simple.nix)
-nix-instantiate --option restrict-eval true ./simple.nix -I src=.
-nix-instantiate --option restrict-eval true ./simple.nix -I src1=simple.nix -I src2=config.nix -I src3=./simple.builder.sh
+nix-instantiate --restrict-eval --eval -E '1 + 2'
+(! nix-instantiate --restrict-eval ./simple.nix)
+nix-instantiate --restrict-eval ./simple.nix -I src=.
+nix-instantiate --restrict-eval ./simple.nix -I src1=simple.nix -I src2=config.nix -I src3=./simple.builder.sh
 
-(! nix-instantiate --option restrict-eval true --eval -E 'builtins.readFile ./simple.nix')
-nix-instantiate --option restrict-eval true --eval -E 'builtins.readFile ./simple.nix' -I src=..
+(! nix-instantiate --restrict-eval --eval -E 'builtins.readFile ./simple.nix')
+nix-instantiate --restrict-eval --eval -E 'builtins.readFile ./simple.nix' -I src=..
 
-(! nix-instantiate --option restrict-eval true --eval -E 'builtins.readDir ../src/boost')
-nix-instantiate --option restrict-eval true --eval -E 'builtins.readDir ../src/boost' -I src=../src
+(! nix-instantiate --restrict-eval --eval -E 'builtins.readDir ../src/boost')
+nix-instantiate --restrict-eval --eval -E 'builtins.readDir ../src/boost' -I src=../src
 
-(! nix-instantiate --option restrict-eval true --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in <foo>')
-nix-instantiate --option restrict-eval true --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in <foo>' -I src=.
+(! nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in <foo>')
+nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in <foo>' -I src=.
 
 p=$(nix eval --raw "(builtins.fetchurl file://$(pwd)/restricted.sh)" --restrict-eval --allowed-uris "file://$(pwd)")
 cmp $p restricted.sh