Cannot nix copy --to /directory built package because it lacks a valid signature

[Silex]

I have the following Dockerfile:

FROM nixos/nix
# RUN nix-shell -p cachix --run 'cachix use emacs-ci'
RUN nix-env -iA emacs-25-1 -f https://github.com/purcell/nix-emacs-ci/archive/master.tar.gz
RUN nix copy --to /nix-emacs $(type -p emacs)
RUN cd /nix-emacs/nix/store && ln -s *emacs* emacs

FROM debian
COPY --from=0 /nix-emacs/nix/store /nix/store
ENV PATH="/nix/store/emacs/bin:$PATH"
CMD ["emacs"]

The nix copy fails with the following message:

Step 3/4 : RUN nix copy --to /nix-emacs $(type -p emacs)
 ---> Running in a2bb6f93d9e7
error: cannot add path '/nix/store/ml1d65ssxnqxmvz9pn5g1i0gggfjas00-emacs-25.1' because it lacks a valid signature
The command '/bin/sh -c nix copy --to /nix-emacs $(type -p emacs)' returned a non-zero code: 1

For example if I use cachix (by uncommenting the line above) everything works normally. How do I work around this? #2330 suggests to generate a binary cache, but my attempts were unsucessful.

My goal is to get the bare minimum dependencies for emacs (without nix) in order to get an Emacs docker image (feel free to give advice on how to achieve that, maybe nix copy is not the right tool).

[thufschmitt]

error: cannot add path '/nix/store/ml1d65ssxnqxmvz9pn5g1i0gggfjas00-emacs-25.1' because it lacks a valid signature

Yes, local stores require everything you copy to them to be signed with a signature you trust. You can easily bypass this by using --no-require-sigs.

For example if I use cachix (by uncommenting the line above) everything works normally

Yes, that’s because everything in a cachix cache is signed, and running cachix use emacs-ci will trust the corresponding signing key.

My goal is to get the bare minimum dependencies for emacs (without nix) in order to get an Emacs docker image (feel free to give advice on how to achieve that, maybe nix copy is not the right tool).

Depends what you mean by “without nix”, but if you have a machine with Nix installed, using the Nix docker tooling might be easier and faster in the long run

[Silex]

Thanks a lot for your input, I ran nix copy --help but somehow missed --no-require-sigs.

[SuperSandro2000]

The flag is now called --no-check-sigs

[jakubgs]

The --no-check-sigs flag appears to not have any effect:

 > nix --version
nix (Nix) 2.13.3

 > nix copy --to ssh://host.example.org /nix/store/fzqr1v92q0ccdg2ssl3grx0142nbvz5r-ios-deploy-1.11.0/bin/ios-deploy --no-check-sigs
[1/0/1 copied (0.0/0.4 MiB)] copying path '/nix/store/fzqr1v92q0ccdg2ssl3grx0142nbvz5r-ios-deploy-1.11.0' to 'ssh://host.example.org'error: cannot add path '/nix/store/fzqr1v92q0ccdg2ssl3grx0142nbvz5r-ios-deploy-1.11.0' because it lacks a valid signature
error: unexpected end-of-file

 > nix copy --to ssh-ng://host.example.org /nix/store/fzqr1v92q0ccdg2ssl3grx0142nbvz5r-ios-deploy-1.11.0/bin/ios-deploy --no-check-sigs
error: cannot add path '/nix/store/fzqr1v92q0ccdg2ssl3grx0142nbvz5r-ios-deploy-1.11.0' because it lacks a valid signature

[Animeshz]

Yeah neither of flags let copy paths now...

[fzakaria]

I am seeing the same

❯ NIX_SSHOPTS='source /etc/profile.d/nix.sh;' nix copy --no-check-sigs --to ssh://cte-prod-us-west1-2-optical-office-49206.c.googlers.com \
    $(nix build --file what-is-my-ip.nix --json | jq -r '.[].outputs.out')
copying 1 pathserror: cannot add path '/nix/store/6qg2j5q9m5lz1rvvjfxmlaky05mq8w05-what-is-my-ip' because it lacks a signature by a trusted key
error: unexpected end-of-file

Can we re-open this?

[thufschmitt]

@fzakaria can you check whether #8589 (now on Nix master) fixes it?

[harris-chris]

I am using this commit:

$ nix --version
nix (Nix) 2.17.0pre20230627_80c9259

but still experiencing the same problem:

$ nix copy --no-check-sigs --to ssh:server@172.16.20.9 /nix/store/jnsmda7742kb4c7wby4bsin11ki9nmsz-my-package                  
[2/0/5 copied (0.5/732.8 MiB)] error: cannot add path '/nix/store/9qd656l4xrvkrz8qcd4wgyn5kz619c25-libxml2_2_11_3' because it lacks a valid signature

[harris-chris]

NB, for anyone looking for a workaround to this, one option that I hadn't realized was available was to set require-sigs = false in the nix.conf of the target machine.

[con-f-use]

Having this problem with nixos-rebuild switch --target-host ..., and that does not have a --no-require/check-signs option. #8589 doesn't seem to help it. I'm on latest unstable (e4ad989506ec7d71f7302cc3067abd82730a4beb)

Something tangential to consider: on a freshly deployed box, where nixos was installed using the installer, is the main user included in allowed-users or trusted-users? I'm asking because nixos-rebuild --target-host should probably work there out of the box, no matter what. Unless I'm ignorant of some security concerns here.

[polygon]

The flag is now called --no-check-sigs

Should we add this as part of the error message? I'd expect 99% of the people who land here probably google the error message after trying to copy a closure from a fast build machine to a slow laptop or RasPI.

[thufschmitt]

The flag is now called --no-check-sigs

Should we add this as part of the error message? I'd expect 99% of the people who land here probably google the error message after trying to copy a closure from a fast build machine to a slow laptop or RasPI.

Yup' that sounds like a very reasonable thing to do.
Care to open a PR for that?

[polygon]

The flag is now called --no-check-sigs

Should we add this as part of the error message? I'd expect 99% of the people who land here probably google the error message after trying to copy a closure from a fast build machine to a slow laptop or RasPI.

Yup' that sounds like a very reasonable thing to do. Care to open a PR for that?

Will do over the weekend.