Hi everyone. I am trying to copy a big derivation from one of my machines, but get a complaint:
nix copy --from ssh-ng://$(tailscale ip -4 vno1-oh2)?trusted=true /nix/store/dgr3f918x09nblmvmfm66794p0qsfysc-qgis-ltr-unwrapped-3.34.7.drv^* |& nom
copying 1 paths...
copying path '/nix/store/l2cwymkz5hh4987b2gzhm2qwp417mhln-qgis-ltr-unwrapped-3.34.7' from 'ssh-ng://100.89.176.4'...
error: cannot add path '/nix/store/l2cwymkz5hh4987b2gzhm2qwp417mhln-qgis-ltr-unwrapped-3.34.7' because it lacks a signature by a trusted key
I am happy to add the trusted key of the machine to nix.conf – but how do I figure out the trusted key?
How come ?trusted=true does not work? ssh-ng options seem to imply ?trusted=true should work, but alas.
Also tried nix copy --no-require-sigs, no avail.
I tried adding the SSH pubkey to trusted keys (trusted-public-keys = ip:pubkey), also no avail.
Note: When rebuilding a remote host, you may see similar errors to the following:
error: cannot add path '/nix/store/...' because it lacks a signature by a trusted key
If this occurs, add your non-root user or group to the trusted-users list in /etc/nix/nix.conf, which is the nix.settings.trusted-users option in NixOS.
I’ve run into the same error while copying a closure from the remote store of one of my other machines to my local one, and my user is already in trusted-users on both machines. nix-copy-closure works fine where nix copy throws this error, which makes this seem like possibly a bug?
Instead you can go through the much more painful process of creating a new nix keypair (nix key generate-secret), trusting the key on the machine where the closure should be copied to and signing the closure on the source host (nix store sign).
