Generate and use signing keys automatically

[lheckemann]

Background

For the sake of building stuff faster, I often use remote builds in a bit of a nonstandard way, e.g.:

$ nix-build --store ssh-ng://lugn
$ nix copy -f . '' --from ssh-ng://lugn

This allows building remotely without copying the whole dependency graph to my laptop. However:

warning: substituter 'ssh-ng://lugn' does not have a valid signature for path '/nix/store/40sd21158yhpjj3lfrmd98xhpiaryrax-nixos-mobile_xiaomi-tissot_boot.img-aarch64-unknown-linux-gnu'
warning: substituter 'ssh-ng://lugn' does not have a valid signature for path '/nix/store/ahfckgq2idpjmg79w6p9k841zakxf49r-initrd-xiaomi-tissot'
warning: substituter 'ssh-ng://lugn' does not have a valid signature for path '/nix/store/bsglymjabrxmhkw13xj503jw39rcam3l-linux-3.18.71-aarch64-unknown-linux-gnu'
warning: substituter 'ssh-ng://lugn' does not have a valid signature for path '/nix/store/8n7y802dmjhpggbss5xb8jcyyzd9nrpy-stdenv-linux'
warning: substituter 'ssh-ng://lugn' does not have a valid signature for path '/nix/store/zxng7pndc5rw4k5sqknhapaplvin9lk9-aarch64-unknown-linux-gnu-stage-final-gcc-debug-wrapper-6.5.0'
[...]

⇒ my laptop will start building everything itself. I'd also prefer not to use the blanket --no-require-sigs option.

Suggestion

If no secret-key-files are specified in the nix config, the option should default to /etc/nix/secret-key, and this file should be generated automatically along with /etc/nix/public-key if it doesn't exist, using the machine's hostname as a key name. This makes it easier to track where builds come from when using nix copy or remote builds, and allows using nix copy without --no-require-sigs.

This allows me:

• to copy paths from individual machines without setting them up to sign builds manually and without using --no-require-sigs
• Later on, to track down paths to where they were built after they have been copied around between multiple machines.

[stale[bot]]

I marked this as stale due to inactivity. → More info

[lheckemann]

I currently use this NixOS module which does this.

{ config, pkgs, ...}: {
  systemd.services.generate-nix-cache-key = {
    wantedBy = [ "multi-user.target" ];
    serviceConfig.Type = "oneshot";
    path = [ pkgs.nix ];
    script = ''
      [[ -f /etc/nix/private-key ]] && exit
      nix-store --generate-binary-cache-key ${config.networking.hostName}-1 /etc/nix/private-key /etc/nix/public-key
    '';
  };
  nix.extraOptions = ''
    secret-key-files = /etc/nix/private-key
  '';
}

[stale[bot]]

I marked this as stale due to inactivity. → More info

[Ericson2314]

Yes, let's please do this.

• Even as remote builders and substituters have been somewhat unified with the C++, the fact that the latter doesn't require sigs but the former does is a big difference.

• If everyone signs by default, then we should be able to use the trusted-public-keys for substitutors and binary caches by default.

• builders-use-substitutes makes me queasy today, but it doesn't really mean much: even if the builder doesn't substitute on demand, the path could have already been substituted. Either way, there are transitive trust issues. But if paths aren't re-signed on substitution, we can at least audit where stuff came from. Security wise, the builder can always be free to substitute instead and the requester will just reject the result if it doesn't trust the public key

  • For build remotes we somewhat trust, we can give them our trusted public keys to intersect with their own to fail faster on a substitute we don't like.

Finally, with CA-derivations this gets all better still by better auditing dependencies.

[stale[bot]]

I marked this as stale due to inactivity. → More info

[mschwaig]

It would sure be a much bigger change but if all builds are signed right away it seems possible to get rid of the ultimate flag and just verify locally built derivations in the same way as remotely built ones.