New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Missing signature failures get cached permanently #4258
Comments
Also note that the cached result had another signature, which was not trusted, – I am not sure if this was a factor, but could be. |
Looks like #2127 is kind of related. |
I was running into the same problem. I first published my cache with either a missing or a wrong signing key. Even after correcting the key, some host which has been accessing the cache before that, would refuse to accept any of the earlier accessed paths which it already had determined as Removing |
I marked this as stale due to inactivity. → More info |
I have the same issue when updating signatures. Here is what I did. First I signed the derivation and filled the cache.
To test the cache I did
Which then successfully fetches binaries from the cache. But when I generate a new key
and update the public key in my NixOS configuration followed by To reproduce this I had to clear my cache, because I realized that the narinfo of an already cached derivation does
Then I repeated the process.
and again to test the cache
which then gives me
and rebuilds the cached derivations. |
Context:
At some point we accidentally pushed certain paths to our cache without including signatures. A number of people then tried to build the derivation and reported substitution failures due to this. We realised the mistake and pushed the missing signatures, however substitution failures persisted.
Here is what it looks like:
(
serokell-1
is the trusted key here)It is interesting that these paths ended up in a sort of weird state, but I don’t think this is relevant here, so I’ll create a separate issue.
Digging deeper:
This cache is correct and nuking it has no effect. What matters is the root cache:
As you can see, this cache does not have the
serokell-1
signature. Nuking the root cache fixed the issue.I am not sure what would be the expected behaviour here, I would say, retry every time when a substituter has no valid signatures or, at least, let them expire.
The text was updated successfully, but these errors were encountered: