feat(libstore): add RequiredSignatures to nix-cache-info #14313
Conversation
github-actions
bot
added
the
store
Binary caches can now advertise signature requirements via a new RequiredSignatures field in nix-cache-info. This field contains a whitespace-separated list of public keys. When uploading paths to such caches, Nix validates that each path has at least one valid signature from the required keys. This prevents accidental uploads of unsigned or incorrectly-signed paths due to configuration errors (e.g., typos like "secret-key-file" vs "secret-key"). Content-addressed paths are exempt from this check as they are self-validating.
Adds a RequireAllSignatures field to nix-cache-info that, when set to 1, requires paths to be signed by ALL keys listed in RequiredSignatures rather than just one. This enables multi-party approval workflows where paths must be signed by multiple independent parties before being uploaded to a cache (e.g., dev team, QA team, and release team). Example nix-cache-info: RequiredSignatures: dev:key1... qa:key2... release:key3... RequireAllSignatures: 1 Error messages now indicate whether "at least ONE" or "ALL" keys are required and show the signature count (e.g., "1 out of 3 required").
Add tests for the RequiredSignatures and RequireAllSignatures fields in nix-cache-info: - Test unsigned path rejection - Test correctly signed path acceptance - Test wrong key signature rejection - Test content-addressed paths bypass signature requirements - Test multiple required keys (any one sufficient) - Test RequireAllSignatures enforcement (all keys required) Added test packages D-G to avoid signature state pollution across tests.
lovesegfault
force-pushed
the
nix-store-require-sigs
branch
from
4a6b6fe to
786871e
Compare
|
An open question is that these |
|
Oh we are very behind documenting the entire binary cache format. This should definitely be fixed. I imagine that the |
|
Also my dream would be using |
| config.wantMassQuery.setDefault(value == "1"); | ||
| } else if (name == "Priority") { | ||
| config.priority.setDefault(std::stoi(value)); | ||
| } else if (name == "RequiredSignatures") { |
There was a problem hiding this comment.
This should probably be named RequiredSigners (it's a list of public keys, not a list of signatures).
There was a problem hiding this comment.
And actually the name RequiredSigners is misleading if RequireAllSignatures is false. So it should probably be Signers or AllowedSigners.
| } | ||
| } | ||
| } | ||
| } else if (name == "RequireAllSignatures") { |
There was a problem hiding this comment.
This could also be NrSignaturesNeeded, taking an arbitrary integer, similar to nix verify's --sigs-needed flag. It might be useful to require e.g. at least 2 valid signatures.
3 participants
Motivation
RequiredSignatures field in nix-cache-info. This field contains a
whitespace-separated list of public keys.
requires paths to be signed by ALL keys listed in RequiredSignatures rather
than just one.
nix-cache-info:
Context
Fixes: #12491
Supersedes: #14298
Add 👍 to pull requests you find important.
The Nix maintainer team uses a GitHub project board to schedule and track reviews.