Trusted substituters in Nix 2.4

charles-dyfis-net · May 22, 2022, 4:22am

I have a local file-based cache which I wish to trust. In /etc/nix/nix.conf, I have:

substituters = file:///cache/nix?priority=30&trusted=1 https://cache.nixos.org?priority=40

…with the expectation that this should cause us to check signatures for content from Hydra, but not that local store.

However, at build time, I see the following:

querying info about '/nix/store/mgl9mc7ylqzxay8pband34plkpndk21n-nix-shell-env' on 'file:///cache/nix'...
warning: the substitute for '/nix/store/mgl9mc7ylqzxay8pband34plkpndk21n-nix-shell-env' from 'file:///cache/nix' is not signed by any of the keys in 'trusted-public-keys'
querying info about '/nix/store/mgl9mc7ylqzxay8pband34plkpndk21n-nix-shell-env' on 'https://cache.nixos.org'...

…indicating that trusted=1 – contrary to the comments in src/libstore/store-api.hh – is not causing this content to be used even when unsigned.

ElvishJerricco · May 22, 2022, 5:12am

Maybe try adding it to trusted-substituters as well instead of using &trusted=1?

charles-dyfis-net · May 22, 2022, 12:20pm

The way I read the documentation and source (respectively, as one of these is only documented in the source), those are two different things: trusted-substituters allows an untrusted user to use a substituter that isn’t enabled by default, whereas ?trusted=1 allows a substituter’s content to be used even when unsigned.

That said, I did try it, and to no effect.

charles-dyfis-net · May 23, 2022, 3:28pm

…so, what eventually worked was the combination of two things:

Adding a trailing / to the file:// address
Adding the address to trusted-substituters