Cobbling together a handful of posts and documentation bits, I set up a generic repo in my company’s Artifactory instance, then mounted that on my test system using davfs. At this point I was able to able to do a build of my flake and nix copy
it to the mounted folder, after which I could validate the upload of about 200mb of NARs:
nix build .
nix copy --to file:///mnt/nix .
However, I realised afterward that none of my built packages were signed, so this gave me trouble when I went to try to consume it over HTTP. I tried to generate a key and sign them after the fact, but it’s telling me there’s nothing to do, with an “added 0 signatures” notice:
nix-store --generate-binary-cache-key jfrog-nixcache cache-priv-key.pem cache-pub-key.pem
nix store sign . -k cache-priv-key.pem --recursive --verbose
When examining by hand the contents of my /nix/store
, I can indeed confirm that many packages are unsigned. What am I getting wrong here?
It’s a bit more of a brute force approach, but it seems I was able to do a mass signing like so:
$ nix store sign --all -k cache-priv-key.pem --recursive --verbose
added 3707 signatures
However, the nix copy
operation following this was a no-op. In order to actually get the signed narinfos up on my cache, I had to flush it and start over. Is this expected? Is there a way to just handle signing at the point of copy/upload instead of it having to be this separate affair?