nix copy --no-check-sigs only seems to work for one direction?

[colemickens]

Describe the bug

This is what I'm doing to eval locally, build on a remote store, and copy back:

nix copy \
  --eval-store auto \
  --no-check-sigs \
  --from ssh-ng://${remote} \
  --to ssh-ng://100.72.11.62 \
  /home/cole/code/nixcfg#topbundles.aarch64-linux

However, when I copy to the aarch64 community box, I get an error. (I am a trusted user on that box)

error: cannot add path '/nix/store/k8gqxn410j08hm9hr8r1m67mxwyg33ij-hm_config.yml' because it lacks a valid signature                                                                                                                                       

If I manually do this, then issue the same command, it works:

nix copy --derivation --eval-store "auto" --no-check-sigs --to "ssh-ng://${remote}" "${drv}"

It seems to me that maybe --no-check-sigs is only working for one direction in my scenario(s)? Or is there a daemon mis-match version issue?

Locally: 2.6.0pre20211217_6e6e998
Remote store: 2.6.0pre20211217_6e6e998 (also occurs with the box's default nix: 2.5.1)

[colemickens]

(granted, I'm still of two-minds about whether nix copy should even just start building on-the-fly, but that ship seems to have sailed)

[colemickens]

I wonder if there isn't a uri query param I should be adding? I feel like you seem to know about these types of things often @Ericson2314 , do you happen to know?

[thufschmitt]

Looking at the code, there’s no obvious reason why it shouldn’t be working. So I guess this is a bug, but I’ve no idea where it comes from 🤷

[colemickens]

Just confirming again:

The second command here only works reliably if I perform the first copy so that the derivations are copied up. Otherwise, signatures are not ignored when copying in the derivations to the "remote" builder. (I used --verbose to confirm that's the part that's not working)

  nix copy \
    --eval-store "auto" \
    --no-check-sigs \
    --derivation \
    --to "ssh-ng://${remote}" \
    "${thing}" "${@}"

  nix copy \
    --eval-store "auto" \
    --no-check-sigs \
    --from "ssh-ng://${remote}" \
    --no-check-sigs \
    --to "ssh-ng://${target}" \
    --no-check-sigs \
      "${thing}" "${@}" >/dev/stderr

[colemickens]

Is it possible that somehow I am not being recognized as a trusted user in certain scenarios?

[colemickens]

It kind of seems like adding ?no-check-sigs=1 helped:

  # nix copy \
  #   --eval-store "auto" \
  #   --no-check-sigs \
  #   --derivation \
  #   --to "ssh-ng://${remote}" \
  #   "${thing}" "${@}"
  nix copy \
    --eval-store "auto" \
    --no-check-sigs \
    --from "ssh-ng://${remote}?no-check-sigs=1" \
    --no-check-sigs \
    --to "ssh-ng://${target}" \
    --no-check-sigs \
      "${thing}" "${@}" >/dev/stderr

I changed the derivation enough and I can see it copying up the drvs and it seems to just work now...

even though I Also see: warning: unknown setting 'no-check-sigs'

EDIT: Nope... it still just doesn't work or is very unreliable.

[Ericson2314]

I am reminded of #5638. There's just too many places for those settings to go at the moment, which makes things very confusing.

[Animeshz]

bump

[Animeshz]

Running the command as root somehow works...

[thufschmitt]

Running the command as root somehow works...

Is your (non-root) user trusted?