Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Post build hook signing #7408

Merged
merged 3 commits into from
Dec 7, 2022
Merged

Post build hook signing #7408

merged 3 commits into from
Dec 7, 2022

Conversation

endgame
Copy link
Contributor

@endgame endgame commented Dec 6, 2022

At least until #6960 is fixed, switch the recommended approach to one which signs all derivations that end up in binary caches.

thufschmitt
thufschmitt approved these changes Dec 6, 2022
View reviewed changes
Copy link
Member

@thufschmitt thufschmitt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense semantically speaking. And I actually like this style better. Deferring to @fricklerhandwerk for merging.

fricklerhandwerk
fricklerhandwerk requested changes Dec 7, 2022
View reviewed changes
Copy link
Contributor

@fricklerhandwerk fricklerhandwerk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @endgame! Left suggestions for wording. Also please note the general contribution guidelines, which you probably have not seen because they are not linked in the Nix contribution guide. (We will catch up eventually, but you're warmly invited to make a PR to the manual!)

@NixOS/documentation-team This whole directory are tutorials which don't really belong here. We should maintain them anyway, and move them to nix.dev eventually.

doc/manual/src/advanced-topics/post-build-hook.md Outdated Show resolved Hide resolved
doc/manual/src/advanced-topics/post-build-hook.md Outdated Show resolved Hide resolved
@endgame
Copy link
Contributor Author

endgame commented Dec 7, 2022

Rewritten to capture the spirit of suggestions, plus some guesses at the anchors in the conf-file (how do I check those?).

@endgame
docs: Use secret-key-files when demonstrating post-build-hooks
a4a103d 
The docs used to recommend calling `nix store sign` in a post-build
hook, but on more recent versions of nix, this results in unsigned
store paths being copied into binary caches. See
NixOS#6960 for details.

Instead, use the `secret-key-files` config option, which signs all
locally-built derivations with the private key.
@fricklerhandwerk
Copy link
Contributor

fricklerhandwerk commented Dec 7, 2022
edited
Loading

At the worst, the anchors are visible in the manual: https://nixos.org/manual/nix/unstable/command-ref/conf-file.html

There is also a file which generates them, which I'm about to make more readable: #7379

@endgame @fricklerhandwerk
Update doc/manual/src/advanced-topics/post-build-hook.md
ac76996 
Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
@fricklerhandwerk fricklerhandwerk merged commit c710aa1 into NixOS:master Dec 7, 2022
@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/tweag-nix-dev-update-41/23848/1

@endgame endgame deleted the post-build-hook-signing branch January 16, 2023 03:39
@endgame endgame mentioned this pull request Jan 16, 2023
Closed
jm8 pushed a commit to jm8/nix that referenced this pull request Aug 5, 2023
@endgame @fricklerhandwerk @jm8
Post build hook signing (NixOS#7408)
90c7b25 
* docs: Use secret-key-files when demonstrating post-build-hooks

The docs used to recommend calling `nix store sign` in a post-build
hook, but on more recent versions of nix, this results in unsigned
store paths being copied into binary caches. See
NixOS#6960 for details.

Instead, use the `secret-key-files` config option, which signs all
locally-built derivations with the private key.

Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fricklerhandwerk fricklerhandwerk fricklerhandwerk approved these changes

@thufschmitt thufschmitt thufschmitt approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@endgame @fricklerhandwerk @nixos-discourse @thufschmitt