store URI: introduce multiple signatures support

picnoir · picnoir · commit bdfb68c4a19f · 2025-04-08T20:57:21.000+02:00
Add a `secretKeyFiles` URI parameter in the store URIs receiving a coma-separated list of Nix signing keyfiles. For instance: nix copy --to "file:///tmp/store?secret-keys=/tmp/key1,/tmp/key2" \ "$(nix build --print-out-paths nixpkgs#hello)" The keys passed through this new store URI parameter are merged with the key specified in the `secretKeyFile` parameter, if any. We'd like to rotate the signing key for cache.nixos.org. To simplify the transition, we'd like to sign the new paths with two keys: the new one and the current one. With this, the cache can support nix configurations only trusting the new key and legacy configurations only trusting the current key. See NixOS/rfcs#149 for more informations behind the motivation.
diff --git a/src/libstore/binary-cache-store.cc b/src/libstore/binary-cache-store.cc
@@ -15,6 +15,7 @@
 #include "nix/util/archive.hh"
 
 #include <chrono>
+#include <cstddef>
 #include <future>
 #include <regex>
 #include <fstream>
@@ -29,8 +30,17 @@ BinaryCacheStore::BinaryCacheStore(const Params & params)
     , Store(params)
 {
     if (secretKeyFile != "")
-        signer = std::make_unique<LocalSigner>(
-            SecretKey { readFile(secretKeyFile) });
+        signers.push_back(std::make_unique<LocalSigner>(
+            SecretKey { readFile(secretKeyFile) }));
+
+    if (secretKeyFiles != "") {
+        std::stringstream ss(secretKeyFiles);
+        Path keyPath;
+        while (std::getline(ss, keyPath, ',')) {
+            signers.push_back(std::make_unique<LocalSigner>(
+                SecretKey { readFile(keyPath) }));
+        }
+    }
 
     StringSink sink;
     sink << narVersionMagic1;
@@ -271,7 +281,9 @@ ref<const ValidPathInfo> BinaryCacheStore::addToStoreCommon(
     stats.narWriteCompressionTimeMs += duration;
 
     /* Atomically write the NAR info file.*/
-    if (signer) narInfo->sign(*this, *signer);
+    for(auto &signer: signers) {
+        narInfo->sign(*this, *signer);
+    }
 
     writeNarInfo(narInfo);
 
diff --git a/src/libstore/include/nix/store/binary-cache-store.hh b/src/libstore/include/nix/store/binary-cache-store.hh
@@ -32,6 +32,9 @@ struct BinaryCacheStoreConfig : virtual StoreConfig
     const Setting<Path> secretKeyFile{this, "", "secret-key",
         "Path to the secret key used to sign the binary cache."};
 
+    const Setting<std::string> secretKeyFiles{this, "", "secret-keys",
+        "List of coma separated paths to the secret keys used to sign the binary cache."};
+
     const Setting<Path> localNarCache{this, "", "local-nar-cache",
         "Path to a local cache of NARs fetched from this binary cache, used by commands such as `nix store cat`."};
 
@@ -57,7 +60,7 @@ class BinaryCacheStore : public virtual BinaryCacheStoreConfig,
 {
 
 private:
-    std::unique_ptr<Signer> signer;
+    std::vector<std::unique_ptr<Signer>> signers;
 
 protected:
 
