Manual signing with davfs binary cache

Cobbling together a handful of posts and documentation bits, I set up a generic repo in my company’s Artifactory instance, then mounted that on my test system using davfs. At this point I was able to able to do a build of my flake and nix copy it to the mounted folder, after which I could validate the upload of about 200mb of NARs:

nix build .
nix copy --to file:///mnt/nix .

However, I realised afterward that none of my built packages were signed, so this gave me trouble when I went to try to consume it over HTTP. I tried to generate a key and sign them after the fact, but it’s telling me there’s nothing to do, with an “added 0 signatures” notice:

nix-store --generate-binary-cache-key jfrog-nixcache cache-priv-key.pem cache-pub-key.pem
nix store sign . -k cache-priv-key.pem --recursive --verbose

When examining by hand the contents of my /nix/store, I can indeed confirm that many packages are unsigned. What am I getting wrong here?

It’s a bit more of a brute force approach, but it seems I was able to do a mass signing like so:

$ nix store sign --all -k cache-priv-key.pem --recursive --verbose
added 3707 signatures

However, the nix copy operation following this was a no-op. In order to actually get the signed narinfos up on my cache, I had to flush it and start over. Is this expected? Is there a way to just handle signing at the point of copy/upload instead of it having to be this separate affair?

What is . in the nix store sign command? Were you signing the copied NARs or actually signing the store paths in the store?

I believe the . is just the flake’s defaultPackage, though I was also experimenting with .#noetic.ros-base as the build/sign/copy target (the context here is in working with the packages in @lopsided98’s excellent nix-ros-overlay: GitHub - lopsided98/nix-ros-overlay: ROS overlay for the Nix package manager)

As far as what’s getting signed, to be honest, I’m enough of a newbie that I’m not quite sure. I believe I’m signing the store paths, and those signatures then carry over when the archives are prepared at copy time. But I’m still pretty in the dark about what’s actually going on the nix store.

1 Like