Howdy –
I recently implemented a code-signing tool with several similarities to target/nix-fetchers
– using the extraBuiltins
plugin by @shlevy to be able to exec
a helper which pulls content from a cache external to the Nix store. (I’m copying signatures into the Nix store, and referencing the copy that lives there in the plugin’s result, but the persistent mapping between {content-sha256,key-id}->signature is external).
This works, but using a separate store that needs to be shared between users (even if only between those users with access to the underlying keys) is unfortunate.
On the other hand, I don’t want to need to discard the cached signatures when the code that manages them changes – that code isn’t an input to the signature, after all; only the key ID and the content being signed impact the resulting signature, and while signing the same content with the same key more than once can have varying results, the first signature generated is guaranteed safe to reuse, thus allowing this to be used much as one would a more truly pure derivation.
Can the Nix store reasonably be used here – avoiding the need for an out-of-band cache – or am I trying to fit a round peg into a square hole?
(For those who are curious: There will eventually be a publicly-releasable version of this code; no promises on timing).