Binary cache serving from s3 bucket has broken signature check

[lblasc]

Hello,

I'm trying to set up private binary cache for our company software. I know that cache is hard/impossible to guess, but still, I would like to leave it authenticated with AWS keys.

nix.conf

binary-caches = https://cache.nixos.org/ s3://bucket-name?region=eu-west-1
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY hydra.tvbeat.com:4iHmKDd95QN9Po2FzqmfUD11Wk0/ln1oLlaLXDaIsNE=

part of nix-shell log:

warning: substituter 's3://bucket-name' does not have a valid signature for path '/nix/store/wadpblgb2lfpc0ls4j4zg61gp2lca4mh-lua5.1-box-da0afad'
warning: substituter 's3://bucket-name' does not have a valid signature for path '/nix/store/s0lwg9pzngfnzb1mbc3a2w4mksiv9vpf-lua5.1-exc-0611497'
warning: substituter 's3://bucket-name' does not have a valid signature for path '/nix/store/dkzhsf9dz458lixad2dd7vs9cnwk9mjr-lua5.1-lua-MessagePack-0.5.0'
warning: substituter 's3://bucket-name' does not have a valid signature for path '/nix/store/0n6kfhgwwi8ffbsss3gjqla7hxbhyy79-lua5.1-rapidjson-0.5.1'

When I allow public access to s3 bucket and change nix.conf to:

binary-caches = https://cache.nixos.org/ https://bucket-name.s3-eu-west-1.amazonaws.com/
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY hydra.tvbeat.com:4iHmKDd95QN9Po2FzqmfUD11Wk0/ln1oLlaLXDaIsNE=

Signature check works without a problem.

This was tested on Ubuntu 18.04, nix version 2.0 and latest master branch, both have the same problem.

Thanks!

[AmineChikhaoui]

@lblasc do you have a multi-user installation ? I think in that case you need the daemon to have access to the bucket

[lblasc]

@AmineChikhaoui it is single user setup on Ubuntu, bucket access is not a problem, i have a AWS keys in ~/.aws/credentials and those are used without a problem.

I didn't mention, if I put (in nix.conf):

require-sigs = false

Binary cache is used from s3 bucket without any problem.

[haitlahcen]

Experiencing the same issue. The strange part is that it worked for like 1 week and suddenly stopped fetching substitutes from the S3 with a warning.

Putting require-sigs = false make it work again.

[chessai]

Experiencing the same issue at work but only on MacOS and non-NixOS linux on MacOS, non-NixOS Linux, and NixOS.

[terlar]

Also experiencing this at work, what is strange is that it doesn't work to pass --option require-sigs false to the nix-build command before, but updating the nix.conf does. I haven't tried recently, but a month ago or so you could ignore with the --option.

[stale[bot]]

I marked this as stale due to inactivity. → More info

[terlar]

Still a valid issue as far as I can tell

[stale[bot]]

I marked this as stale due to inactivity. → More info

[lblasc]

It should be still valid (haven't tested for some time)

[stale[bot]]

I marked this as stale due to inactivity. → More info