Allow sign-paths to take the signing key from an environment variable

[thoughtpolice]

It would be nice if the nix sign-paths command could be used to sign keys without writing the signing key to a file, but instead using an environment variable, e.g. NIX_SIGNING_KEY. This would be useful for e.g. automated CI workflows, where I'd like to inject the key into the build environment, sign some paths, copy a closure, and kill the CI system.

[lheckemann]

:-1: I don't see any real benefit to this. Since the command needs to be invoked in a script or something anyway, one can just echo "$NIX_SIGNING_KEY" > priv.key && nix sign-paths -k priv.key ….

[avanov]

I do see a real benefit of not having to depend on a disk subsystem just to provide the command with the same data that is already available in a session environment.

[lheckemann]

A tmpfs such as /run can be used for storing information in a filesystem without it being written to disk.

[avanov]

it's still a FS, why does a nix process has to rely on FS API to access the keys if it's already provided with an environment from which it can read the data directly?

[supersven]

My two cents:

I just stumbled over this issue because I searched for exactly this feature... I'm setting up a gitlab-ci job with caching and would like to keep the key in a configured environment variable. Of course, I can save it from there to disk, but, well, that's an additional step.

[stale[bot]]

I marked this as stale due to inactivity. → More info

[jshcmpbll]

anyone looking for this, you can simply run it like so:

nix store sign -k <(echo $MY_KEY_ENV_VAR) .#myFlake

[Ericson2314]

Can

echo $MY_KEY_ENV_VAR | nix store sign -k -

work?

[jshcmpbll]

@Ericson2314 Unfortunately, no. I tested it and nix complains about the file - being missing. I think that method is also just a STDIN whereas <( *** ) presents the data as a file symbolic link to pipe.

[jsh@jsh-server:~/repo]$ file <( echo $MY_KEY_ENV_VAR)
/dev/fd/63: symbolic link to pipe:[86242]

If anyone knows what this trick is called id love to know. I learned about it years ago but cat remember where I read it and cant figure out what its called.

EDIT: Ah, from man bash

   Process Substitution
       Process substitution allows a process's input or out‐
       put to be referred to using a filename.  It takes the
       form  of <(list) or >(list).  The process list is run
       asynchronously, and its input or output appears as  a
       filename.   This filename is passed as an argument to
       the current command as the result of  the  expansion.
       If the >(list) form is used, writing to the file will
       provide input for list.  If the <(list) form is used,
       the  file passed as an argument should be read to ob‐
       tain the output of  list.   Process  substitution  is
       supported on systems that support named pipes (FIFOs)
       or the /dev/fd method of naming open files.

       When available, process substitution is performed si‐
       multaneously  with  parameter and variable expansion,
       command substitution, and arithmetic expansion.