How to handle a list of binary caches where some are signed and others aren't

[AmineChikhaoui]

If I have a list of binary caches e.g s3://foo s3://bar and foo is signed while bar isn't.
It seems that right now if I have a require-sigs = true in my nix config, that will still try to check the signature for s3://bar paths which doesn't really make sense.

    /* Bail out early if this substituter lacks a valid
       signature. LocalStore::addToStore() also checks for this, but
       only after we've downloaded the path. */
    if (worker.store.requireSigs && !info->checkSignatures(worker.store, worker.store.publicKeys)) {
        printInfo(format("warning: substituter '%s' does not have a valid signature for path '%s'")
            % sub->getUri() % storePath);
        tryNext();
        return;
    }

Maybe a better approach would be to do signature validation per binary cache, i.e have some kind of mapping between binary cache/public key/require-sigs.

[copumpkin]

I think that at some point (maybe only in the past) require-sigs was allowed on individual store URIs as well. @edolstra am I imagining that?

[edolstra]

@copumpkin You may be thinking of signed-binary-caches, however it never actually supported individual URIs (it could only be * or an empty string).

[edolstra]

@AmineChikhaoui Well, the model is that addToStore() doesn't know where a NAR comes from, so it cannot whilelist certain substituters.