nix copy does not add any newly trusted keys to the database if the path that is being copied already exists.

[NorfairKing]

Describe the bug

nix copy does not add any newly trusted keys to the database if the path that is being copied already exists.

Steps To Reproduce

Have machines A and B

Have machine A trust its own build key and no others.
Have machine B trust its own build key and no others.

Build pkgs.hello (with a little preBuild change so the building doesn't fetch from cache.nixos.org) on machine A.

Sign the result with A's build key using nix sign-paths.
Upload it to machine B using nix copy.

The signature is discarded on B's end (by the way, this will probably warrant a nixos manual addition).

Then rebuild B with a new config that says to trust A's build key.
Upload the result to machine B again using nix copy,

Expected behaviour

B adds the signature to its database.

Actual behaviour

B does not add the signature to its database unless you nix-store --delete the path on B's end first.

nix-env --version output

On both machine A and B:

nix-env --version
nix-env (Nix) 2.3.11  

If we want to keep the current logic of just checking the current store paths' existence without adding signatures after the fact, then it should be documented that this is what happens, because otherwise it is confusing behaviour when setting post-build hooks as documented in section: https://nixos.org/manual/nix/stable/#idm140737321140208.

cc @nh2 , who helped me diagnose this issue.

[stale]

I marked this as stale due to inactivity. → More info

[NorfairKing]

unstale bot

[stale]

I marked this as stale due to inactivity. → More info

[NorfairKing]

unstale bot