haskell.nix icon indicating copy to clipboard operation
haskell.nix copied to clipboard
verified publisher icon input-output-hk

`trusted-public-keys` mismatch

Open georgefst opened this issue 3 years ago • 18 comments

I've installed Nix on Arch Linux, then followed the haskell.nix guide.

Unfortunately, when running nix run . or nix develop, I'm flooded with errors like warning: ignoring substitute for '/nix/store/3j18grljsyy4nxc078g00sy4cx6cf16g-bash-5.1-p16' from 'https://cache.iog.io', as it's not signed by any of the keys in 'trusted-public-keys', for various packages, which then get built from scratch even though they should be downloaded from the cache.

georgefst avatar Aug 07 '22 00:08 georgefst

After adding key trusted-public-keys (as described in the guide), you may need to restart the nix-daemon. If that helps we should update the guide.

hamishmack avatar Aug 07 '22 07:08 hamishmack

Only multi user nix installs have a daemon to restart.

hamishmack avatar Aug 07 '22 07:08 hamishmack

Assuming you mean for me to run sudo systemctl restart nix-daemon, that hasn't made any difference. I'd rebooted before now anyway.

My /etc/nix/nix.conf is as follows, where all but the last three lines were written by the installer:

#
# https://nixos.org/manual/nix/stable/#sec-conf-file
#

# Unix group containing the Nix build user accounts
build-users-group = nixbld

# Disable sandbox
# sandbox = false

trusted-public-keys = hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=
substituters = https://cache.iog.io
experimental-features = nix-command flakes

georgefst avatar Aug 07 '22 10:08 georgefst

There are some weird things going on here. I tried removing all my changes to /etc/nix/nix.conf, restarting the daemon and passing the options on the command line instead, in order to make it easier to test and debug options:

nix develop --extra-experimental-features flakes --extra-experimental-features nix-command --trusted-public-keys 'hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=' --substituters 'https://cache.iog.io'

But while I thought this would be equivalent to passing them in the config file, the output is different. I don't get any more ignoring substitute for [...] as it's not signed by any of the keys warnings, but I do get warning: ignoring untrusted substituter 'https://cache.iog.io'. This led me to try changing --substituters to --trusted-substituters, which silences the warning, but I still end up building GHC (weirdly, GHC 8.6.5, when I'm requesting 8.10.7)!

georgefst avatar Aug 07 '22 11:08 georgefst

My flake.nix is as follows, where hello-hs is a basic one-exe cabal project skeleton with base >=4.14 and no other dependencies:

{
  description = "A very basic flake";
  inputs.haskellNix.url = "github:input-output-hk/haskell.nix";
  inputs.nixpkgs.follows = "haskellNix/nixpkgs-unstable";
  inputs.flake-utils.url = "github:numtide/flake-utils";
  outputs = { self, nixpkgs, flake-utils, haskellNix }:
    flake-utils.lib.eachSystem [ "x86_64-linux" ] (system:
    let
      overlays = [ haskellNix.overlay
        (final: prev: {
          # This overlay adds our project to pkgs
          helloProject =
            final.haskell-nix.project' {
              src = ./.;
              compiler-nix-name = "ghc8107";
              # This is used by `nix develop .` to open a shell for use with
              # `cabal`, `hlint` and `haskell-language-server`
              shell.tools = {
              };
              # Non-Haskell shell tools go here
              shell.buildInputs = with pkgs; [
              ];
              # This adds `js-unknown-ghcjs-cabal` to the shell.
              # shell.crossPlatforms = p: [p.ghcjs];
            };
        })
      ];
      pkgs = import nixpkgs { inherit system overlays; inherit (haskellNix) config; };
      flake = pkgs.helloProject.flake {
        # This adds support for `nix build .#js-unknown-ghcjs-cabal:hello-hs:exe:hello-hs`
        # crossPlatforms = p: [p.ghcjs];
      };
    in flake // {
      # Built by `nix build .`
      defaultPackage = flake.packages."hello-hs:exe:hello-hs";
    });
}

georgefst avatar Aug 07 '22 11:08 georgefst

More weirdness: removing the trusted-public-keys line means the cache is hit when using nix-shell, but not nix develop. With it there, even nix-shell -p hello goes off and builds stuff.

georgefst avatar Aug 07 '22 17:08 georgefst

It looks like cache.nixos.org is missing. Was it there when you first edited the config file? My nix.conf file looks like this.

substituters = https://cache.nixos.org https://cache.iog.io
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=

I wonder if it is no longer included in the nix.conf file by the nix installer. It is listed as the default in https://nixos.org/manual/nix/unstable/command-ref/conf-file.html#conf-trusted-public-keys

If so we should update the docs.

hamishmack avatar Aug 07 '22 21:08 hamishmack

Thanks, that did it! I'm almost certain that there was no mention of substituters or trusted-public-keys when I started. But I'll try reinstalling, just to check.

I installed through the Arch community repo with sudo pacman -S nix (I should have been explicit about this in OP), so perhaps the fault lies with the packaging there?

georgefst avatar Aug 07 '22 21:08 georgefst

I'm almost certain that there was no mention of substituters or trusted-public-keys when I started. But I'll try reinstalling, just to check.

Yep, initial contents are just:

#
# https://nixos.org/manual/nix/stable/#sec-conf-file
#

# Unix group containing the Nix build user accounts
build-users-group = nixbld

# Disable sandbox
# sandbox = false

georgefst avatar Aug 07 '22 21:08 georgefst