Questions about "Untrusted paths"

Help
1

I found my nix store contains some untrusted paths by running nix store verify --all

error: --- Untrusted path ---------------------------------------------------------------------------------------------------------------------------------- nix
path '/nix/store/16pln0qv68dbxd8qlqhzig68dkzjyw8i-cantarell-fonts-0.111' is untrusted
error: --- Untrusted path ---------------------------------------------------------------------------------------------------------------------------------- nix
path '/nix/store/6105i8mfqzjkz0y1rhynb34vr9hqg5sl-source-code-pro-2.030' is untrusted
error: --- Untrusted path ---------------------------------------------------------------------------------------------------------------------------------- nix
path '/nix/store/bzjd66sdi85rwj7kd3zcdsi52xzhx69c-nix-wallpaper-simple-dark-gray.png' is untrusted
error: --- Untrusted path ---------------------------------------------------------------------------------------------------------------------------------- nix
path '/nix/store/cdcgcd5lxvgfli4k5g1yl9nslhs474mg-hwdata-0.316' is untrusted
error: --- Untrusted path ---------------------------------------------------------------------------------------------------------------------------------- nix
path '/nix/store/dbn507rrsmgmdxwknhb3554nmkl0kvgi-gyre-fonts-2.005' is untrusted
error: --- Untrusted path ---------------------------------------------------------------------------------------------------------------------------------- nix
path '/nix/store/ism4vryr6cklc2wcank1aadxvnyv6mm1-nixos-20.03pre202088.e89b21504f3' is untrusted
error: --- Untrusted path ---------------------------------------------------------------------------------------------------------------------------------- nix
path '/nix/store/qb82wpjaf3j6pswhk73rkcd43si2nb1w-nix-wallpaper-simple-dark-gray_bottom.png' is untrusted
error: --- Untrusted path ---------------------------------------------------------------------------------------------------------------------------------- nix
path '/nix/store/sksvv8dacm5k66hinhyhlckbjqx1s351-source-sans-pro-3.006' is untrusted
error: --- Untrusted path ---------------------------------------------------------------------------------------------------------------------------------- nix
path '/nix/store/srjp3lv3qfand8pwsj8np32yw1q4f7ms-intel2200BGFirmware-3.1' is untrusted
error: --- Untrusted path ---------------------------------------------------------------------------------------------------------------------------------- nix
path '/nix/store/szphjhh0j68yhddyw2zh8ykr00mhd1r2-publicsuffix-list-2019-05-24' is untrusted
error: --- Untrusted path ---------------------------------------------------------------------------------------------------------------------------------- nix
path '/nix/store/xmp5w9p9jb4r2nq8sa1wyc33s6ymq198-zd1211-firmware-1.5' is untrusted
error: --- Untrusted path ---------------------------------------------------------------------------------------------------------------------------------- nix
path '/nix/store/y1hybm8h1kln0hg06c42m4g1wsblc0ig-freefont-ttf-20120503' is untrusted
error: --- Untrusted path ---------------------------------------------------------------------------------------------------------------------------------- nix
path '/nix/store/y4q0n7igsiagm91hgd0q8hrnicii4nyj-nixos.svg' is untrusted

My questions:

  1. Why are these paths marked as untrusted?
  2. I guess these paths are unstrusted because there is no attached signature in the store, how can I fetch the signature or at least check if there is a corresponding signature in the substituter? nix store copy-sigs does not accept store paths as installables and these paths do not have a deriver (according to nix-store -q --deriver).
3 Likes
2

This is a good question. I just ran this and found 100s of untrusted paths and a few corrupt ones.

3

You’re correct, the paths are untrusted because of missing signatures. You can get them from the binary cache.

nix verify -s https://cache.nixos.org