Setting up a binary cache

As instructed in Binary Cache - NixOS Wiki I ran on the server:

$ nix-build '<nixpkgs>' -A pkgs.hello

Then to start the cache I found out I can use an environment variable to specify the location of the private key:

$ export NIX_SECRET_KEY_FILE=/var/cache-priv-key.pem
$ nix-serve --listen :5555

I see when NIX_SECRET_KEY_FILE is set, I get the extra “Sig:” line:

$ curl
StorePath: /nix/store/rr3y0c6zyk7kjjl8y19s4lsrhn4aiq1z-hello-2.10
URL: nar/rr3y0c6zyk7kjjl8y19s4lsrhn4aiq1z.nar
Compression: none
NarHash: sha256:0mkfk4iad66xkld3b7x34n9kxri9lrpkgk8m17p97alacx54h5c7
NarSize: 205920
References: 6yaj6n8l925xxfbcd65gzqx3dz7idrnn-glibc-2.27 rr3y0c6zyk7kjjl8y19s4lsrhn4aiq1z-hello-2.10
Deriver: r6h5b3wy0kwx38rn6s6qmmfq0svcnf86-hello-2.10.drv

As instructed in the wiki page, to try out the cache I ran:

$ nix-store -r /nix/store/rr3y0c6zyk7kjjl8y19s4lsrhn4aiq1z-hello-2.10 --option substituters --option trusted-public-keys $(cat cache-pub-key.pem)
these paths will be fetched (0.00 MiB download, 27.04 MiB unpacked):
warning: substituter '' does not have a valid signature for path '/nix/store/rr3y0c6zyk7kjjl8y19s4lsrhn4aiq1z-hello-2.10'
error: build of '/nix/store/rr3y0c6zyk7kjjl8y19s4lsrhn4aiq1z-hello-2.10' failed

Why would it say it does not have a valid signature? How can I manually “sign” the file I’m getting with curl using the private key, and compare the result myself?

As I found in Introduction “19.4. Implementing the build hook”, one apparently can sign packages. Is the wiki page incomplete, missing the “signing” step?

For reference, I found the source of nix-serve on github:


I’d highly recommend using that gets you started in a minute, but I don’t know your use case (happy to discuss).

I noticed nix-serve prints a line whenever I use curl to get a URL from it, but not when I use nix-store. Turned out I had to remove nix’s cache in ~/.cache/nix/binary-cache-v6.sqlite*.

1 Like

Yes, I stumbled a couple of times upon the cache :slight_smile: