NixOS / nix

Nix, the purely functional package manager
https://nixos.org/
GNU Lesser General Public License v2.1
12.95k stars 1.53k forks source link

nix copy broken with ssh-ng and unsigned paths #7812

Open lheckemann opened 1 year ago

lheckemann commented 1 year ago

Describe the bug

nix copy has no apparent way to disable signature verification when copying to an ssh-ng store.

As a UX bug, there are also too many ways in which signature verification could plausibly be disabled, though none of these actually function.

Steps To Reproduce

  1. nix build --impure --expr 'with import <nixpkgs> {}; runCommand "foo" {} "touch $out"'
  2. Each of the following commands will fail with error: cannot add path '/nix/store/wgf5y2kzib2wg10yki4jrs4alnzs6iy7-foo' because it lacks a valid signature: a. nix copy --to ssh-ng://$untrusteduser@$otherhost ./result -- expected b. nix copy --to ssh-ng://root@$otherhost ./result c. nix copy --no-require-sigs --to ssh-ng://root@$otherhost ./result d. nix copy --to ssh-ng://root@$otherhost?require-sigs=false ./result (also prints warning: unknown setting 'require-sigs') e. nix copy --from daemon?trusted=1 --to ssh-ng://root@$otherhost ./result f. (monster combination of all the plausible mechanisms) nix copy --no-require-sigs --from daemon?trusted=1 --to ssh-ng://root@$otherhost?require-sigs=false --no-require-sigs ./result

Expected behavior

At least one of these commands (maybe all except the first) should work.

nix-env --version output nix-env (Nix) 2.11.1

Additional context

How exactly this should work is unclear, given that the require-sigs option and the trusted parameter overlap.

AFAIU, the trusted parameter only applies when substituting (but I'm not sure there should be any difference in behaviour between copying and substitution?).

It would also be good to be able to make the trust relationships clearer. If --substitute is used, disabling require-sigs might prevent checking signatures from the substituters used as well, which is probably dangerous?

Conjecture (not fully thought through!): require-sigs should not exist, and signature-free trust should only come from a trusted=1 parameter on the source store. This could potentially default to true on local and daemon stores, making copying unsigned paths easier, but at the cost of making it much harder to track provenance of paths.

Priorities

Add :+1: to issues you find important.

colemickens commented 1 year ago

If I understand correctly, I think you want --no-check-sigs ? But I don't know about substitutions, or how my trusted-user-ness on the remote helps, etc.

╭ zeph  ~ 0.01s
╰─▶ nix copy --to $"ssh-ng://cole@(tailscale ip --4 pktspot1)" ./result
error: cannot add path '/nix/store/azls543by6apa404dkircgjx3l0b5zrp-foo' because it lacks a signature by a trusted key

╭ zeph  ~ 3.75s ✘1
╰─▶ nix copy --to $"ssh-ng://cole@(tailscale ip --4 pktspot1)" ./result --no-check-sigs

╭ zeph  ~ 2.96s
╰─▶
fzakaria commented 1 year ago

Both ssh-ng and ssh are giving the error:

❯ NIX_SSHOPTS='source /etc/profile.d/nix.sh;' nix copy --no-check-sigs --to ssh://cte-prod-us-west1-2-optical-office-49206.c.googlers.com \
    $(nix build --file what-is-my-ip.nix --json | jq -r '.[].outputs.out')
copying 1 pathserror: cannot add path '/nix/store/6qg2j5q9m5lz1rvvjfxmlaky05mq8w05-what-is-my-ip' because it lacks a signature by a trusted key
error: unexpected end-of-file
❯ NIX_SSHOPTS='source /etc/profile.d/nix.sh;' nix copy --no-check-sigs --to ssh-ng://cte-prod-us-west1-2-optical-office-49206.c.googlers.com \
    $(nix build --file what-is-my-ip.nix --json | jq -r '.[].outputs.out')
error: cannot add path '/nix/store/6qg2j5q9m5lz1rvvjfxmlaky05mq8w05-what-is-my-ip' because it lacks a signature by a trusted key
aanderse commented 2 months ago

FYI - i checked most recently with 2.22.x and this is still an issue