Verify signature is trusted before downloading everything on nix copy

[Zocker1999NET]

Is your feature request related to a problem?

I'm currently frustrated because I built my system toplevel on a remote machine, then attempted to download this over 6 GiB big closure with nix copy --from ssh://user@remote /nix/store/<path>, only so it fails after several minutes because:

error: cannot add path '/nix/store/64i43a2ng795rxgxdsnhjsl8pjjmd14h-ffmpeg-7.1.1-data' because it lacks a signature by a trusted key

Proposed solution

Verify the signature before starting to download anything. This may prevent accidentally downloading malicious software (even if it is thrown away immediately afterwards), but also prevents clogging up resources & time for users which are attempting to get the signatures working.

Alternative solutions

Nope.

Additional context

I deliberately did not check whether the manual already provides a solution to this, because, from user perspective, this is still bad if there is an option for that but that being not enabled by default.

Checklist

• [ ] checked latest Nix manual (source)
• [x] checked open feature issues and pull requests for possible duplicates

---

Add :+1: to issues you find important.