I have two questions about what it means to obtain a store path with a valid signature from a binary cache.
-
Does the signature relate the store path (input address) and the contents by signing both of them together, or is it just a signature of the content?
-
Is it a design goal of the signature to identify who originally built the package (so that if I set up my own binary cache which obtained some store paths from https://cache.nixos.org it will only contain that original signature and I can attribute the build process to https://cache.nixos.org in that way)?