Suppose that I have a file with store paths that I want to sign, e.g. new-paths. With Nix 2.3 this is easy:
$ nix sign-paths --key-file cache-priv-key.pem $(cat new-paths)
However, I now want to sign paths are built through a flake in GitHub Actions. So, I am installing Nix unstable with nix-command and flake as experimental features and build the flake. However, now using the same approach in Nix unstable leads to:
$ nix sign-paths --key-file cache-priv-key.pem $(cat new-paths)
error: --- Error ------------------------------------------------------------------------------------------------------------------------------- nix
flake 'path:/nix/store/7zj2cs6ka320hplg4ia7rlmgy54z5war-source' does not provide attribute 'packages.x86_64-linux.defaultPackage.x86_64-linux', 'legacyPackages.x86_64-linux.defaultPackage.x86_64-linux' or 'defaultPackage.x86_64-linux'
The problem seems to be that if commands like sign-paths or path-info are used with a Nix store path that contains flake.nix, the store path is treated as a flake rather than a regular store path.
Passing --experimental-features 'nix-command' (thus disabling flake support) does not solve this issue. I am not sure if this is a bug or whether I am overlooking some option or flag.
Ps. I know that I can cheat with something like the following. But I’d prefer just using one version of Nix
$ nix run nixpkgs#nix \
-- sign-paths --key-file cache-priv-key.pem $(cat new-paths)