Setting up a binary cache

aleb · October 11, 2019, 4:43pm

As instructed in Binary Cache - NixOS Wiki I ran on the server:

$ nix-build '<nixpkgs>' -A pkgs.hello
/nix/store/rr3y0c6zyk7kjjl8y19s4lsrhn4aiq1z-hello-2.10

Then to start the cache I found out I can use an environment variable to specify the location of the private key:
https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/nix-serve.nix#L64

$ export NIX_SECRET_KEY_FILE=/var/cache-priv-key.pem
$ nix-serve --listen :5555

I see when NIX_SECRET_KEY_FILE is set, I get the extra “Sig:” line:

$ curl http://mycache.com:5555/rr3y0c6zyk7kjjl8y19s4lsrhn4aiq1z.narinfo
StorePath: /nix/store/rr3y0c6zyk7kjjl8y19s4lsrhn4aiq1z-hello-2.10
URL: nar/rr3y0c6zyk7kjjl8y19s4lsrhn4aiq1z.nar
Compression: none
NarHash: sha256:0mkfk4iad66xkld3b7x34n9kxri9lrpkgk8m17p97alacx54h5c7
NarSize: 205920
References: 6yaj6n8l925xxfbcd65gzqx3dz7idrnn-glibc-2.27 rr3y0c6zyk7kjjl8y19s4lsrhn4aiq1z-hello-2.10
Deriver: r6h5b3wy0kwx38rn6s6qmmfq0svcnf86-hello-2.10.drv
Sig: mycache.com:......

As instructed in the wiki page, to try out the cache I ran:

$ nix-store -r /nix/store/rr3y0c6zyk7kjjl8y19s4lsrhn4aiq1z-hello-2.10 --option substituters http://mycache.com:5555 --option trusted-public-keys $(cat cache-pub-key.pem)
these paths will be fetched (0.00 MiB download, 27.04 MiB unpacked):
  /nix/store/6yaj6n8l925xxfbcd65gzqx3dz7idrnn-glibc-2.27
  /nix/store/rr3y0c6zyk7kjjl8y19s4lsrhn4aiq1z-hello-2.10
warning: substituter 'http://mycache.com:5555' does not have a valid signature for path '/nix/store/rr3y0c6zyk7kjjl8y19s4lsrhn4aiq1z-hello-2.10'
error: build of '/nix/store/rr3y0c6zyk7kjjl8y19s4lsrhn4aiq1z-hello-2.10' failed

Why would it say it does not have a valid signature? How can I manually “sign” the file I’m getting with curl http://mycache.com:5555/nar/rr3y0c6zyk7kjjl8y19s4lsrhn4aiq1z.nar using the private key, and compare the result myself?

As I found in Introduction “19.4. Implementing the build hook”, one apparently can sign packages. Is the wiki page incomplete, missing the “signing” step?

For reference, I found the source of nix-serve on github:
https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/package-management/nix-serve/default.nix#L39
https://github.com/edolstra/nix-serve/blob/master/nix-serve.psgi

domenkozar · October 13, 2019, 2:57pm

I’d highly recommend using https://cachix.org/ that gets you started in a minute, but I don’t know your use case (happy to discuss).

aleb · October 14, 2019, 11:53am

I noticed nix-serve prints a line whenever I use curl to get a URL from it, but not when I use nix-store. Turned out I had to remove nix’s cache in ~/.cache/nix/binary-cache-v6.sqlite*.

ip1981 · October 14, 2019, 3:23pm

Yes, I stumbled a couple of times upon the cache