Using an external secret file in a Nix sandboxed build

Hi. I need to import a private keystore file in order to sign an Android APK in a nix build. This .keystore file lives in a location outside the repository being built, and I’m trying to think of ways to bring it into the Nix build in a secure way. Are there best practices for this type of situation? The first approach that came to mind was to copy the file to the repo folder just before calling nix-build and capturing it in the closure, but that means the secret file would live in the Nix store until it is deleted with nix-store --delete. Ideally, it wouldn’t be stored in the Nix store, or it would be stored by itself (e.g. with nix-store --add).

Another option I came across is passing --option extra-sandbox-paths $STORE_FILE to nix-build.

Just builtins.readFile
It is performed on the evaluation stage, before starting the build (where sandboxing matters)

2 Likes

That’s great to know, and should work great for text files. In this case I’m dealing with a binary file, so it’ll be challenging to reconstruct it for the Nix script.

I could recommend builtins.exec (where you could run a program which parses the binary producing nix literals) but then you will have two problems (i.e. when and how to build that program, and apparently you will need a second nixpkgs for that). The right answer is somewhere around “ret-cont nix” or “recursive nix”, which is still a hot topic.

Won’t that exposed the contents in the store?

did they remove builtins.exec?