nix-community
Sign with multiple signing keys
Nix supports entries in caches to be signed by multiple keys.
This patch introduces the new config options secret_key_paths that is an array of paths to secret keys. All provided secret keys are used for signing.
This change breaks the SECRET_KEY_FILE environment variable currently.
I need some feedback how to integrate this, as this is used in the NixOS module. We could have an environment variable called SECRET_KEY_FILES with some character separating multiple paths, but I'm not sure about this.
I fixed support for signing keys passed via environment variables.
There are four ways now to specify signing keys:
-
sign_key_pathin config file, accepting a single file path as a string -
sign_key_pathsin config file, accepting multiple file paths as strings in an array -
SIGN_KEY_PATHin environment, accepting a single file path -
SIGN_KEY_PATHSin environment, accepting multiple file paths separated by whitespace
All paths, not matter how they got specified, and all keys will be used for signing.
Hi, I think that something like the previous comment should appear in the README.
BTW, I sign Nix store paths with nix store sign and I need harmonia to serve these signatures instead of automatically signing the whole nix store. I opened draft PR #336, which does that. This can also result in multiple signatures of a single store path like in this PR. If your PR gets merged, I'll need to update mine, because there are obviously conflicts.
Out of curiosity, why do you need multiple signing keys?
Out of curiosity, why do you need multiple signing keys?
I changed the URL my cache is served under and wanted to change the keys name accordingly. It turned out, that in Nix the name is not just a hint, instead it matches if name and signature matches. So while transitioning the domains and keys, I have to sign with two keys. I found it not worth it to run multiple harmonia instances, as Nix absolutely supports multiple signing keys.
Out of curiosity, why do you need multiple signing keys?
I changed the URL my cache is served under and wanted to change the keys name accordingly. It turned out, that in Nix the name is not just a hint, instead it matches if name and signature matches. So while transitioning the domains and keys, I have to sign with two keys. I found it not worth it to run multiple harmonia instances, as Nix absolutely supports multiple signing keys.
Out of curiosity, why do you need multiple signing keys?
I changed the URL my cache is served under and wanted to change the keys name accordingly. It turned out, that in Nix the name is not just a hint, instead it matches if name and signature matches. So while transitioning the domains and keys, I have to sign with two keys. I found it not worth it to run multiple harmonia instances, as Nix absolutely supports multiple signing keys.
Sounds like a useful way to rotate keys. So I am for having it.
Change looks good to me, but can you also update the nixos module to use the new environment variables?
@Mic92 I updated the NixOS module.
I haven't touched the tests for it yet. Would you like to leave the test for the deprecated option and have another one for multiple signatures or should I change the existing one?
@Mic92 I updated the NixOS module.
I haven't touched the tests for it yet. Would you like to leave the test for the deprecated option and have another one for multiple signatures or should I change the existing one?
![mergify[bot] avatar](https://avatars.githubusercontent.com/in/10562?v=4 "Published by a pub.dev verified publisher"){kind=small}
queue
✅ The pull request has been merged automatically
The pull request has been merged automatically at 3ae668e873bded4c05446cb4aa745b5de606aefc
queue
✅ The pull request has been merged automatically
The pull request has been merged automatically at 3ae668e873bded4c05446cb4aa745b5de606aefc