lila icon indicating copy to clipboard operation
lila copied to clipboard
verified publisher icon JulienMalka

Add build time to the signature

Open JulienMalka opened this issue 3 weeks ago • 2 comments

  • api should accept some build time for the attestation instead of setting it to the uploaded time (maybe ?)
  • signature should contain the build time (is it possible ?)

Rationale: several attestations in the DB have the exact same signature, it's probably not great as there is no way to really discriminate them.

JulienMalka avatar Nov 30 '25 14:11 JulienMalka

I guess we could record it, but it'd have to be optional, as caches typically don't appear to expose that information either (e.g. https://cache.nixos.org/c8fmjixgr2i38841xd26z63pmwn5dpg0.narinfo)

signature should contain the build time (is it possible ?)

I don't think we should do that, as it'd mean our signatures would no longer be consistent with the nix cache signatures. I guess we could add a second signature that includes the build date, but that doesn't seem worth it

several attestations in the DB have the exact same signature, it's probably not great as there is no way to really discriminate them

I guess we could consider whether it's valuable at all to allow the same uploader upload the same signature twice?

raboof avatar Nov 30 '25 14:11 raboof

I guess we could consider whether it's valuable at all to allow the same uploader upload the same signature twice?

Yes, I was considering this as well.

JulienMalka avatar Nov 30 '25 14:11 JulienMalka