secretKeyFiles - move to JSON

Using a JSON string array. It does not work super great without
modifying more of the parsing logic:

    +(signing.sh:115) nix copy --to 'file:///tmp/nix-shell.9u6yin/nix-test/main/signing/storemultisig?secret-keys=["/tmp/nix-shell.9u6yin/nix-test/main/signing/sk1","/tmp/nix-shell.9u6yin/nix-test/main/signing/sk2"]' /tmp/nix-shell.9u6yin/nix-test/main/signing/store/v6vdfqbxk9q56m6gcvk4h7hyq842y18q-dependencies-top
    error: Cannot parse Nix store 'file:///tmp/nix-shell.9u6yin/nix-test/main/signing/storemultisig?secret-keys=["/tmp/nix-shell.9u6yin/nix-test/main/signing/sk1","/tmp/nix-shell.9u6yin/nix-test/main/signing/sk2"]'
    Try 'nix --help' for more information.
    ++(signing.sh:115) onError
    ++(/home/ninjatrappeur/code-root/github.com/NixOS/nix/tests/functional/common/functions.sh:241) set +x
    signing.sh: test failed at:
    main in signing.sh:115

Besides, the syntax is not great from the CLI: we need to escape the
double quotes provided we want to do some sort of variable
substitution.

    nix copy --to \
      "file://$TEST_ROOT/storemultisig?secret-keys=[\"$TEST_ROOT/sk1\",\"$TEST_ROOT/sk2\"]" \
      "$outPath"

:/

Author: picnoir

src/libstore/binary-cache-store.cc

@@ -2,6 +2,8 @@
 #include "nix/store/binary-cache-store.hh"
 #include "nix/util/compression.hh"
 #include "nix/store/derivations.hh"
+#include "nix/util/logging.hh"
+#include "nix/util/signature/local-keys.hh"
 #include "nix/util/source-accessor.hh"
 #include "nix/store/globals.hh"
 #include "nix/store/nar-info.hh"
@@ -16,6 +18,7 @@
 
 #include <chrono>
 #include <future>
+#include <memory>
 #include <regex>
 #include <fstream>
 #include <sstream>
@@ -33,11 +36,21 @@ BinaryCacheStore::BinaryCacheStore(const Params & params)
             SecretKey { readFile(secretKeyFile) }));
 
     if (secretKeyFiles != "") {
-        std::stringstream ss(secretKeyFiles);
-        Path keyPath;
-        while (std::getline(ss, keyPath, ',')) {
+        // secretKeyFiles should be a JSON list of strings.
+        nlohmann::json j = nlohmann::json::parse(secretKeyFiles.get());
+        if (!j.is_array()) {
+            logger->warn("Not an array!!!");
+            throw std::runtime_error("secretKeyFiles is not a JSON array");
+        }
+        for (const auto& keyPath : j) {
+            logger->warn("Parsing keypath!!!");
+            if (!keyPath.is_string()) {
+                logger->warn("Not a string!!!!");
+                throw std::runtime_error("Array contains non-string elements");
+            }
             signers.push_back(std::make_unique<LocalSigner>(
-                SecretKey { readFile(keyPath) }));
+                SecretKey { readFile(keyPath.get<std::string>())}
+            ));
         }
     }
 

tests/functional/signing.sh

@@ -112,7 +112,7 @@ nix store verify --store "$TEST_ROOT"/store0 -r "$outPath2" --trusted-public-key
 nix copy --to "$TEST_ROOT"/store0 "$outPathCA"
 
 # Test multiple signing keys
-nix copy --to "file://$TEST_ROOT/storemultisig?secret-keys=$TEST_ROOT/sk1,$TEST_ROOT/sk2" "$outPath"
+nix copy --to "file://$TEST_ROOT/storemultisig?secret-keys=[\"$TEST_ROOT/sk1\",\"$TEST_ROOT/sk2\"]" "$outPath"
 for file in "$TEST_ROOT/storemultisig/"*.narinfo; do
     if [[ "$(grep -cE  '^Sig: cache[1,2]\.example.org' "$file")" -ne 2 ]]; then
         echo "ERROR: Cannot find cache1.example.org and cache2.example.org signatures in ${file}"