Setting up a binary cache

As instructed in Binary Cache - NixOS Wiki I ran on the server:

$ nix-build '<nixpkgs>' -A pkgs.hello
/nix/store/rr3y0c6zyk7kjjl8y19s4lsrhn4aiq1z-hello-2.10

Then to start the cache I found out I can use an environment variable to specify the location of the private key:

$ export NIX_SECRET_KEY_FILE=/var/cache-priv-key.pem
$ nix-serve --listen :5555

I see when NIX_SECRET_KEY_FILE is set, I get the extra “Sig:” line:

$ curl http://mycache.com:5555/rr3y0c6zyk7kjjl8y19s4lsrhn4aiq1z.narinfo
StorePath: /nix/store/rr3y0c6zyk7kjjl8y19s4lsrhn4aiq1z-hello-2.10
URL: nar/rr3y0c6zyk7kjjl8y19s4lsrhn4aiq1z.nar
Compression: none
NarHash: sha256:0mkfk4iad66xkld3b7x34n9kxri9lrpkgk8m17p97alacx54h5c7
NarSize: 205920
References: 6yaj6n8l925xxfbcd65gzqx3dz7idrnn-glibc-2.27 rr3y0c6zyk7kjjl8y19s4lsrhn4aiq1z-hello-2.10
Deriver: r6h5b3wy0kwx38rn6s6qmmfq0svcnf86-hello-2.10.drv
Sig: mycache.com:......

As instructed in the wiki page, to try out the cache I ran:

$ nix-store -r /nix/store/rr3y0c6zyk7kjjl8y19s4lsrhn4aiq1z-hello-2.10 --option substituters http://mycache.com:5555 --option trusted-public-keys $(cat cache-pub-key.pem)
these paths will be fetched (0.00 MiB download, 27.04 MiB unpacked):
  /nix/store/6yaj6n8l925xxfbcd65gzqx3dz7idrnn-glibc-2.27
  /nix/store/rr3y0c6zyk7kjjl8y19s4lsrhn4aiq1z-hello-2.10
warning: substituter 'http://mycache.com:5555' does not have a valid signature for path '/nix/store/rr3y0c6zyk7kjjl8y19s4lsrhn4aiq1z-hello-2.10'
error: build of '/nix/store/rr3y0c6zyk7kjjl8y19s4lsrhn4aiq1z-hello-2.10' failed

Why would it say it does not have a valid signature? How can I manually “sign” the file I’m getting with curl http://mycache.com:5555/nar/rr3y0c6zyk7kjjl8y19s4lsrhn4aiq1z.nar using the private key, and compare the result myself?

As I found in Introduction - Nix Reference Manual “19.4. Implementing the build hook”, one apparently can sign packages. Is the wiki page incomplete, missing the “signing” step?

For reference, I found the source of nix-serve on github:

2 Likes

I’d highly recommend using https://cachix.org/ that gets you started in a minute, but I don’t know your use case (happy to discuss).

I noticed nix-serve prints a line whenever I use curl to get a URL from it, but not when I use nix-store. Turned out I had to remove nix’s cache in ~/.cache/nix/binary-cache-v6.sqlite*.

1 Like

Yes, I stumbled a couple of times upon the cache :slight_smile: