Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cryptic error when using nix store sign with a bash here string #6856

Open
asymmetric opened this issue Aug 3, 2022 · 3 comments
Open

Cryptic error when using nix store sign with a bash here string #6856

asymmetric opened this issue Aug 3, 2022 · 3 comments
Labels
bug

Comments

@asymmetric
Copy link
Contributor

Describe the bug

I have a secret signing key in the NIX_PRIV_KEY environment variable. I want to pass it to nix store sign, and I choose to do this using <<<:

nix store sign -k <<< "$NIX_PRIV_KEY"

path '/home/asymmetric/foo/bar' does not contain a 'flake.nix', searching up
error: path '/home/asymmetric/foo/bar' is not part of a flake (neither it nor its parent directories contain a 'flake.nix' file)

Steps To Reproduce

  1. Have a secret signing key in NIX_PRIV_KEY
  2. Run nix store sign -k <<< "$NIX_PRIV_KEY"
  3. See error

Expected behavior

Either this should work, or it should fail with a better error message.

nix-env --version output

Additional context

I know that there's another way to solve this, using <(echo $NIX_PRIV_KEY).
@asymmetric asymmetric added the bug label Aug 3, 2022
@thufschmitt
Copy link
Member

Wich paths are you expecting to sign here? Because nix store sign expects you to pass in a list of paths (or more precisely a list of installables that will be converted to a path). So regardless of how you try to pass the key you should have the same error message if you don't explicitely specify a path:

$ nix store sign -k /my/secret/key
path '/tmp/tmp.fmFjds2VXD' does not contain a 'flake.nix', searching up
error: could not find a flake.nix file

Now for the fact that the error message isn't what you expect, I agree, although I'm not sure what a good message should be. Maybe something like

error: could not find a flake.nix file. Maybe you want to explicitely specify the paths that you want to work on?

(Well, the phrasing is ugly, but that gives the broad idea)

@asymmetric
Copy link
Contributor Author

asymmetric commented Aug 9, 2022
edited
Loading

You're right, I posted an incomplete snippet - sorry for that!. What I'm doing is:

          for file in os/result/test/*; do
            if [[ -L $file ]]; then
              nix-store -qR $file | xargs nix store sign -k <(echo "$NIX_PRIVKEY")
            fi
          done

which works as intended, whereas

          for file in os/result/test/*; do
            if [[ -L $file ]]; then
              nix-store -qR $file | xargs nix store sign -k <<< "$NIX_PRIVKEY"
            fi
          done

prints the error above.

os/result/test contains (among other things) a bunch of symlinks to paths in the store.

@thufschmitt
Copy link
Member

Ah makes sense then :)

So yeah, the second form is akin to nix store sign -k /nix/store/blah <<< "$NIX_PRIVKEY", in which case nix understands /nix/store/blah as the path to the key (because -k expects an argument) and doesn't see any path to sign – making it default to the local flake (which doesn't exist, hence the error).

I don't think we can avoid the “nix understands /nix/store/blah as the path to the key” part since it's the syntax that the CLI expects, but we could definitely make it explicit in the error message that Nix tried looking for a flake.nix because it didn't have anything explicitly passed on the CLI.

Wanna open a PR for that? :D

Btw if that's any help, -k /dev/stdin probably works too

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@asymmetric @thufschmitt