nix icon indicating copy to clipboard operation
nix copied to clipboard

Published 20 hours ago verified publisher icon NixOS

Cryptic error when using `nix store sign` with a bash here string

Open asymmetric opened this issue 3 years ago • 3 comments

Describe the bug

I have a secret signing key in the NIX_PRIV_KEY environment variable. I want to pass it to nix store sign, and I choose to do this using <<<:

nix store sign -k <<< "$NIX_PRIV_KEY"

path '/home/asymmetric/foo/bar' does not contain a 'flake.nix', searching up
error: path '/home/asymmetric/foo/bar' is not part of a flake (neither it nor its parent directories contain a 'flake.nix' file)

Steps To Reproduce

  1. Have a secret signing key in NIX_PRIV_KEY
  2. Run nix store sign -k <<< "$NIX_PRIV_KEY"
  3. See error

Expected behavior

Either this should work, or it should fail with a better error message.

nix-env --version output

Additional context

I know that there's another way to solve this, using <(echo $NIX_PRIV_KEY).

asymmetric avatar Aug 03 '22 08:08 asymmetric

Wich paths are you expecting to sign here? Because nix store sign expects you to pass in a list of paths (or more precisely a list of installables that will be converted to a path). So regardless of how you try to pass the key you should have the same error message if you don't explicitely specify a path:

$ nix store sign -k /my/secret/key
path '/tmp/tmp.fmFjds2VXD' does not contain a 'flake.nix', searching up
error: could not find a flake.nix file

Now for the fact that the error message isn't what you expect, I agree, although I'm not sure what a good message should be. Maybe something like

error: could not find a flake.nix file. Maybe you want to explicitely specify the paths that you want to work on?

(Well, the phrasing is ugly, but that gives the broad idea)

thufschmitt avatar Aug 09 '22 08:08 thufschmitt

You're right, I posted an incomplete snippet - sorry for that!. What I'm doing is:

          for file in os/result/test/*; do
            if [[ -L $file ]]; then
              nix-store -qR $file | xargs nix store sign -k <(echo "$NIX_PRIVKEY")
            fi
          done

which works as intended, whereas

          for file in os/result/test/*; do
            if [[ -L $file ]]; then
              nix-store -qR $file | xargs nix store sign -k <<< "$NIX_PRIVKEY"
            fi
          done

prints the error above.

os/result/test contains (among other things) a bunch of symlinks to paths in the store.

asymmetric avatar Aug 09 '22 10:08 asymmetric

Ah makes sense then :)

So yeah, the second form is akin to nix store sign -k /nix/store/blah <<< "$NIX_PRIVKEY", in which case nix understands /nix/store/blah as the path to the key (because -k expects an argument) and doesn't see any path to sign – making it default to the local flake (which doesn't exist, hence the error).

I don't think we can avoid the “nix understands /nix/store/blah as the path to the key” part since it's the syntax that the CLI expects, but we could definitely make it explicit in the error message that Nix tried looking for a flake.nix because it didn't have anything explicitly passed on the CLI.

Wanna open a PR for that? :D

Btw if that's any help, -k /dev/stdin probably works too

thufschmitt avatar Aug 10 '22 15:08 thufschmitt