From deba51d7f4d77871b1f104917a1d6322e27e593c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jean-Fran=C3=A7ois=20Roche?= Date: Tue, 14 Oct 2025 01:01:03 +0200 Subject: [PATCH] fix(nix): remove '%' character from Nix trusted-public-keys configuration The '%' character cannot be part of our trusted-public-keys value as it is not a valid base64 character. --- .github/workflows/ami-release-nix-single.yml | 2 +- .github/workflows/ami-release-nix.yml | 4 ++-- .github/workflows/nix-build.yml | 4 ++-- .github/workflows/test.yml | 4 ++-- .github/workflows/testinfra-ami-build.yml | 4 ++-- Dockerfile-15 | 2 +- Dockerfile-17 | 2 +- Dockerfile-orioledb-17 | 2 +- .../files/admin_api_scripts/pg_upgrade_scripts/initiate.sh | 4 ++-- docker/nix/Dockerfile | 2 +- ebssurrogate/scripts/qemu-bootstrap-nix.sh | 2 +- scripts/nix-provision.sh | 2 +- 12 files changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/workflows/ami-release-nix-single.yml b/.github/workflows/ami-release-nix-single.yml index 6209c5692..bb6641ff0 100644 --- a/.github/workflows/ami-release-nix-single.yml +++ b/.github/workflows/ami-release-nix-single.yml @@ -46,7 +46,7 @@ jobs: install_url: https://releases.nixos.org/nix/nix-2.29.1/install extra_nix_config: | substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com - trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= + trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= - name: Set PostgreSQL version environment variable run: | diff --git a/.github/workflows/ami-release-nix.yml b/.github/workflows/ami-release-nix.yml index 27a1c0eb1..af003c0e2 100644 --- a/.github/workflows/ami-release-nix.yml +++ b/.github/workflows/ami-release-nix.yml @@ -30,7 +30,7 @@ jobs: install_url: https://releases.nixos.org/nix/nix-2.29.1/install extra_nix_config: | substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com - trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= + trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= - name: Set PostgreSQL versions id: set-versions @@ -65,7 +65,7 @@ jobs: install_url: https://releases.nixos.org/nix/nix-2.29.1/install extra_nix_config: | substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com - trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= + trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= - name: Run checks if triggered manually if: ${{ github.event_name == 'workflow_dispatch' }} diff --git a/.github/workflows/nix-build.yml b/.github/workflows/nix-build.yml index 695dc2abf..758b9fbbd 100644 --- a/.github/workflows/nix-build.yml +++ b/.github/workflows/nix-build.yml @@ -73,7 +73,7 @@ jobs: install_url: https://releases.nixos.org/nix/nix-2.29.1/install extra_nix_config: | substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com - trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= + trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= post-build-hook = /etc/nix/upload-to-cache.sh - name: Install nix uses: cachix/install-nix-action@v27 @@ -82,7 +82,7 @@ jobs: install_url: https://releases.nixos.org/nix/nix-2.29.1/install extra_nix_config: | substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com - trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= + trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= - name: Aggressive disk cleanup for DuckDB build if: matrix.runner == 'macos-latest-xlarge' run: | diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 766e50b72..809d2c34e 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -19,7 +19,7 @@ jobs: with: extra-conf: | substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com - trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= + trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= - name: Set PostgreSQL versions id: set-versions run: | @@ -47,7 +47,7 @@ jobs: with: extra-conf: | substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com - trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= + trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= - name: Set PostgreSQL version environment variable run: echo "POSTGRES_MAJOR_VERSION=${{ matrix.postgres_version }}" >> $GITHUB_ENV - name: Strip quotes from pg major and set env var diff --git a/.github/workflows/testinfra-ami-build.yml b/.github/workflows/testinfra-ami-build.yml index 0cb0cd483..c337e6e47 100644 --- a/.github/workflows/testinfra-ami-build.yml +++ b/.github/workflows/testinfra-ami-build.yml @@ -27,7 +27,7 @@ jobs: install_url: https://releases.nixos.org/nix/nix-2.29.1/install extra_nix_config: | substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com - trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= + trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= - name: Set PostgreSQL versions id: set-versions @@ -77,7 +77,7 @@ jobs: install_url: https://releases.nixos.org/nix/nix-2.29.1/install extra_nix_config: | substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com - trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= + trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= - id: args diff --git a/Dockerfile-15 b/Dockerfile-15 index 28f5122c0..3827deffb 100644 --- a/Dockerfile-15 +++ b/Dockerfile-15 @@ -56,7 +56,7 @@ RUN curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/ --init none \ --no-confirm \ --extra-conf "substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com" \ ---extra-conf "trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" +--extra-conf "trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ENV PATH="${PATH}:/nix/var/nix/profiles/default/bin" diff --git a/Dockerfile-17 b/Dockerfile-17 index 3ad03b37c..23989c7b9 100644 --- a/Dockerfile-17 +++ b/Dockerfile-17 @@ -58,7 +58,7 @@ RUN curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/ --init none \ --no-confirm \ --extra-conf "substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com" \ ---extra-conf "trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" +--extra-conf "trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ENV PATH="${PATH}:/nix/var/nix/profiles/default/bin" diff --git a/Dockerfile-orioledb-17 b/Dockerfile-orioledb-17 index 29f2fa527..1eb9400df 100644 --- a/Dockerfile-orioledb-17 +++ b/Dockerfile-orioledb-17 @@ -58,7 +58,7 @@ RUN curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/ --init none \ --no-confirm \ --extra-conf "substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com" \ ---extra-conf "trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" +--extra-conf "trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ENV PATH="${PATH}:/nix/var/nix/profiles/default/bin" diff --git a/ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh b/ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh index 71016a294..1a602efd7 100755 --- a/ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh +++ b/ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh @@ -286,13 +286,13 @@ function initiate_upgrade { chmod +x "$NIX_INSTALLER_PATH" "$NIX_INSTALLER_PATH" install --no-confirm \ --extra-conf "substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com" \ - --extra-conf "trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + --extra-conf "trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" else echo "1.1.1. Installing Nix using the official installer" curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install --no-confirm \ --extra-conf "substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com" \ - --extra-conf "trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + --extra-conf "trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" fi else echo "1.1. Nix is installed; moving on." diff --git a/docker/nix/Dockerfile b/docker/nix/Dockerfile index 226907953..89e5d8178 100644 --- a/docker/nix/Dockerfile +++ b/docker/nix/Dockerfile @@ -2,7 +2,7 @@ FROM nixpkgs/nix-flakes RUN echo "substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com" >> /etc/nix/nix.conf -RUN echo "trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=%" >> /etc/nix/nix.conf +RUN echo "trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=" >> /etc/nix/nix.conf USER $USER diff --git a/ebssurrogate/scripts/qemu-bootstrap-nix.sh b/ebssurrogate/scripts/qemu-bootstrap-nix.sh index 0b21959c3..b64cf9faf 100755 --- a/ebssurrogate/scripts/qemu-bootstrap-nix.sh +++ b/ebssurrogate/scripts/qemu-bootstrap-nix.sh @@ -84,7 +84,7 @@ execute_playbook function install_nix() { sudo su -c "curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install --no-confirm \ --extra-conf \"substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com\" \ - --extra-conf \"trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=\" " -s /bin/bash root + --extra-conf \"trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=\" " -s /bin/bash root . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh } diff --git a/scripts/nix-provision.sh b/scripts/nix-provision.sh index 6515ecae9..f114bc6bb 100644 --- a/scripts/nix-provision.sh +++ b/scripts/nix-provision.sh @@ -25,7 +25,7 @@ function install_packages { function install_nix() { sudo su -c "curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install --no-confirm \ --extra-conf \"substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com\" \ - --extra-conf \"trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=\" " -s /bin/bash root + --extra-conf \"trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=\" " -s /bin/bash root . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh }