I want to have all store paths that i have built myself and not downloaded from Hydra or other substitutors.
Best would be if i can filter it to only contain packages and not sources, configs or tests.
I would like to submit those to Trustix.
Does the Nix database store the source of an output path (substitute vs. build)? That’s the only place I could imagine sourcing this information from, otherwise any output path is the same.
If this isn’t available, your only bet would be to set up a quick script to hash output paths and compare them with the cache.
Not an expert on nix store, but i think ultimate signature means it was built on your machine:
$ nix path-info -r --sigs /run/current-system | fgrep ultimate
/nix/store/s0niplml4flh94q36lkdllb87xk4r4ly-etc-lvm.conf ultimate
/nix/store/sb92hx576xlhjz607nz433w3hilljhrl-lightdm.pam ultimate
/nix/store/swc0x2yrmr3pq3j1i0aw62i8h6s0025g-etc-lsb-release ultimate
...
Fetching all local paths:
$ sqlite3 /nix/var/nix/db/db.sqlite 'SELECT path FROM ValidPaths WHERE ultimate IS NOT NULL;'
...
/nix/store/79rsmykdc1hyi64zxrs4dzyy903b5gdn-perl5.32.1-System-Command-1.121
/nix/store/s3ndlkaipad43jxqjy4qpzfshlj4z2c2-gperftools-2.9.1
/nix/store/rzn5jv1xxxxwdgmjl0hasvzcjxsdk98m-source-highlight-3.1.9
/nix/store/bjpjfa5vqkfj9r5q90n6fkjqqw7cfal7-source-highlight-3.1.9-dev
/nix/store/0vjjja86iwc21244573a79xr5w14hg7s-asciidoc-9.1.0
1 Like
That seems to be the case; substituted paths are signed by the NixOS cache.
To add a bit of color to it: looking at https://github.com/NixOS/nix/blob/059ae7f6c4b491d728714207c082a03d94c06744/src/libstore/build/local-derivation-goal.cc#L2505-L2509 ultimate is not mutually exclusive with other signatures (local or remote):
# fetch from cache:
$ nix build -f '<nixpkgs>' lv
$ nix path-info --sigs ./result
/nix/store/0ip5dpkj6lmv2xcixnfkkmxf966vqjz0-lv-4.51 cache.nixos.org-1:5w80DSCt49gaSBEM9TO0X3HCABmdbVjzTcBE43ULYrXODgkaiI/gkOiGrLG6ng7Oq63DsfWsAt2m66snitbDBA==
# build locally
$ nix build -f '<nixpkgs>' lv --rebuild
$ nix path-info --sigs ./result
/nix/store/0ip5dpkj6lmv2xcixnfkkmxf966vqjz0-lv-4.51 ultimate cache.nixos.org-1:5w80DSCt49gaSBEM9TO0X3HCABmdbVjzTcBE43ULYrXODgkaiI/gkOiGrLG6ng7Oq63DsfWsAt2m66snitbDBA==
Note that up to just cache.nixos.org-1 signature one more was added: ultimate. Depending on what you’d like to achieve you might need to filter some cases out.
1 Like
yes, that is true
So to get all local built store paths:
nix path-info --all --sigs | fgrep ultimate | awk '{print $1}'
/nix/store/00fncjc1nkrmxady649f4pl5fnv6cmc4-cli-3d22a24
/nix/store/1sc7ngvs8xlgfimxggc8x7dyv14pcp2z-unit-dbus.socket
/nix/store/5wr912j78swlicllrbw2l4p7y1z1qyfs-gsignond-with-plugins-1.2.0
...
Many config files are less than 1KB, many service files are between 1 and 4KB, everything above is mostly packages and sources.
We can also remove paths with known endings we don’t want.
So here we go:
nix path-info --all --sigs --size | fgrep ultimate | awk '{ if ($2 > 4000) print $1}' | sed -E '/.*\.zip$|.*\.gz$|.*\.tgz$|.*\.bz$|.*\.xz$|.*\.deb$|.*\.conf$|.*\.target$|.*\.socket$|.*\.timer$|.*\.pam$|.*\.json$|.*\.patch$|.*\.service$|.*-etc$|.*-nixos-system.*$|.*-system-units$|.*-user-environment$|.*-etc-environment$|.*-env$/d'
/nix/store/00fncjc1nkrmxady649f4pl5fnv6cmc4-cli-3d22a24
/nix/store/5wr912j78swlicllrbw2l4p7y1z1qyfs-gsignond-with-plugins-1.2.0
/nix/store/9id0c5lv279p9lkxhpzgfg5x7na5q40n-nixos-install
...
Thank you!
2 Likes