Trusting the remote store of my own machines ("because it lacks a signature by a trusted key")

Hi everyone. I am trying to copy a big derivation from one of my machines, but get a complaint:

nix copy --from ssh-ng://$(tailscale ip -4 vno1-oh2)?trusted=true /nix/store/dgr3f918x09nblmvmfm66794p0qsfysc-qgis-ltr-unwrapped-3.34.7.drv^* |& nom


copying 1 paths...
copying path '/nix/store/l2cwymkz5hh4987b2gzhm2qwp417mhln-qgis-ltr-unwrapped-3.34.7' from 'ssh-ng://100.89.176.4'...
error: cannot add path '/nix/store/l2cwymkz5hh4987b2gzhm2qwp417mhln-qgis-ltr-unwrapped-3.34.7' because it lacks a signature by a trusted key
  1. I am happy to add the trusted key of the machine to nix.conf – but how do I figure out the trusted key?
  2. How come ?trusted=true does not work? ssh-ng options seem to imply ?trusted=true should work, but alas.
  3. Also tried nix copy --no-require-sigs, no avail.
  4. I tried adding the SSH pubkey to trusted keys (trusted-public-keys = ip:pubkey), also no avail.

How can I make my machine trust my other machine? :slight_smile:

This seems to have worked:

nix-copy-closure --from $(tailscale ip -4 vno1-oh2) /nix/store/l2cwymkz5hh4987b2gzhm2qwp417mhln-qgis-ltr-unwrapped-3.34.7

I found this answer on the wiki

Note: When rebuilding a remote host, you may see similar errors to the following:
error: cannot add path '/nix/store/...' because it lacks a signature by a trusted key

If this occurs, add your non-root user or group to the trusted-users list in /etc/nix/nix.conf, which is the nix.settings.trusted-users option in NixOS.

I’ve run into the same error while copying a closure from the remote store of one of my other machines to my local one, and my user is already in trusted-users on both machines. nix-copy-closure works fine where nix copy throws this error, which makes this seem like possibly a bug?

No. nix copy just checks signatures by default. You can pass --no-check-sigs to avoid this as long as the user importing the path is trusted.