substituter not accepted due to invalid signature

[tfc]

Hi there,

so i have 2 single user installations of nix on an ubuntu machine and a centOS machine. I installed nix using the default installer last week thursday.

Then i set up the ubuntu machine as binary cache following this guide written by Gabriel.

The nix-serve process just runs calmly, but the client does not accept the signatures:

binary-cache $ sudo NIX_SECRET_KEY_FILE=/home/nix_user/nix_keys/nix-serve.sec /home/nix_user/.nix-profile/bin/nix-serve -p 80
2018/03/19-06:33:32 Starman::Server (type Net::Server::PreFork) starting! pid(17463)
Resolved [*]:80 to [0.0.0.0]:80, IPv4
Binding to TCP port 80 on host 0.0.0.0 with IPv4
Setting gid to "0 0 0"

(need to run with sudo to serve on port 80 because of intranet firewall restrictions)

target $ nix-env -iA nixpkgs.git -vvvvv
GC Warning: pthread_getattr_np or pthread_attr_getstack failed for main thread
evaluating file '/nix/store/6p2gambjac7xdkd2a7w1dsxdk1q5cq4d-nix-2.0/share/nix/corepkgs/derivation.nix'
installing derivations
evaluating attribute '_combineChannels'
evaluating attribute 'nixpkgs'
...
substitution of '/nix/store/h6hbgwk3ifm27fsc4ljhyz8w71194xp1-git-2.16.2': trying next substituter
warning: substituter 'http://1.2.3.4' does not have a valid signature for path '/nix/store/h6hbgwk3ifm27fsc4ljhyz8w71194xp1-git-2.16.2'
substitution of '/nix/store/h6hbgwk3ifm27fsc4ljhyz8w71194xp1-git-2.16.2': trying next substituter
path '/nix/store/h6hbgwk3ifm27fsc4ljhyz8w71194xp1-git-2.16.2' is required, but there is no substituter that can build it
substitution of '/nix/store/h6hbgwk3ifm27fsc4ljhyz8w71194xp1-git-2.16.2': done
building of '/nix/store/l1agvw0wv5xk8wwmmvwn2csy1928bc9l-git-2.16.2.drv': waitee 'substitution of '/nix/store/h6hbgwk3ifm27fsc4ljhyz8w71194xp1-git-2.16.2'' done; 0 left
building of '/nix/store/l1agvw0wv5xk8wwmmvwn2csy1928bc9l-git-2.16.2.drv': woken up
substitution of '/nix/store/h6hbgwk3ifm27fsc4ljhyz8w71194xp1-git-2.16.2': goal destroyed
building of '/nix/store/l1agvw0wv5xk8wwmmvwn2csy1928bc9l-git-2.16.2.drv': all outputs substituted (maybe)
building of '/nix/store/l1agvw0wv5xk8wwmmvwn2csy1928bc9l-git-2.16.2.drv': done
building of '/nix/store/l1agvw0wv5xk8wwmmvwn2csy1928bc9l-git-2.16.2.drv': goal destroyed
error: build of '/nix/store/l1agvw0wv5xk8wwmmvwn2csy1928bc9l-git-2.16.2.drv' failed

the nix config looks like this:

target $ cat ~/.config/nix/nix.conf 
binary-caches = http://1.2.3.4
binary-cache-public-keys = 1.2.3.4:tTm2m3gT8wcQLmreuWeliYAbl/hJ2MUCpEYDiVMeCgA=
trusted-public-keys = 1.2.3.4t:Tm2m3gT8wcQLmreuWeliYAbl/hJ2MUCpEYDiVMeCgA=
trusted-substituters = 1.2.3.4

As far as i understand, nix-serve should sign everything it serves on the fly. But this does not seem to happen or it happens with the wrong signature, right? I double- and triple-checked if the target has the right pub key set and also generated new keys for the whole procedure, but to no avail.

[typetetris]

I did run into the same problem. You can check with nix path-info --store http://<hostname>:<port> --json <some-path> | grep sig that nix-serve doesn't serve signatures.

[ivan]

I spent a few hours on this problem, trying to figure out why nix was unhappy with nix-serve's signatures, until @cleverca22 in #nixos (thank you) pointed me to /root/.cache/nix - removing that on the client machine fixed the problem for me. I suspect it had cached .narinfo's with missing signatures, because I previously started nix-serve without NIX_SECRET_KEY_FILE=.

[tfc]

Closing this ticket, as i cannot reproduce it on other machines any longer (the installation on which i had the problem does not exist any more). I guess it was the ~/.cache/nix thing.

[tartavull]

I was able to reproduce this. Deleting ~/.cache/nix fixed it for me.

[xaverdh]

Just hit this issue as well, could be have:

• either a more useful error message (which suggests clearing ~/.cache/nix or /root/.cache/nix)
• or a way for nix to automatically fix the situation somehow ?

[pmiddend]

This still happens. Are we sure we want to keep this issue closed? Is there no better solution than to let the user figure out it's ~/.cache/nix?