nix-store need a valid signature as normal user

Created on 5 Aug 2018  路  4Comments  路  Source: NixOS/nix

i export a tarball, i want to import to a remote machine, but i report the following error:
note: the root user is okay.

[larluo@larluo-nixos:~/my-env]$ cat nix.sh.out/hello-2.10.closure.bz2 | ssh -i nix.sh.out/key [email protected] "bunzip2 | nix-store -v --import"
error: cannot add path '/nix/store/83lrbvbmxrgv7iz49mgd42yvhi473xp6-glibc-2.27' because it lacks a valid signature

[larluo@larluo-nixos:~/my-env]$ cat nix.sh.out/hello-2.10.closure.bz2 | ssh -i nix.sh.out/key [email protected] "bunzip2 | nix-store -v --import"
/nix/store/83lrbvbmxrgv7iz49mgd42yvhi473xp6-glibc-2.27
/nix/store/188avy0j39h7iiw3y7fazgh7wk43diz1-hello-2.10
/nix/store/2kcrj1ksd2a14bm5sky182fv2xwfhfap-glibc-2.26-131
/nix/store/kmwd1hq55akdb9sc7l3finr175dajlby-hello-2.10
picture clojurians-org

Most helpful comment

For NixOS users stumbling into this, you may like to put trustedUsers = [ "root" "@wheel" ]; into your configuration.nix. (There are other "solutions", but I prefer this one.)

picture vcunat on 5 Jan 2019
👍3

All 4 comments

i add user to nixbld group, but it failed still.

useradd -g nixbld -m larluo
[root@nixos:~]# nix-daemon
error processing connection: user 'larluo' is not allowed to connect to the Nix daemon
clojurians-org picture clojurians-org on 5 Aug 2018

This isn't related to build users, your local user __should not__ be in the nixbld group!

Importing an untrusted closure is a potential security problem, for this reason it's intentionally only allowed by trusted users (eg. root).
Either sign the paths using your own key before creating the closure and configure the key to be trusted on the target machine. Or configure your local user to be trusted, similar to root.

To configure your own public key or trusted user check trusted-public-keys and trusted-users in man nix.conf or use the corresponding nix.binaryCachePublicKeys/nix.trustedUsers nixos options in your configuration.nix.

As for creating a keypair, there's a little bit of information in the nix-store manpage, but here's an example.

nix-store --generate-binary-cache-key machine.local-1 ~/.config/nix/sk ~/.config/nix/pk
nix sign-paths -k ~/.config/nix/sk -r /nix/store/kmwd1hq55akdb9sc7l3finr175dajlby-hello-2.10
LnL7 picture LnL7 on 5 Aug 2018

i use the following command to create the vm:
the issue is: the os have no /etc/nixos/configuration.nix configuration file
the /etc/nix.nix.conf is read-only filesystem.

  vm_name=larluo
  echo "[action] createvm ${vm_name}"
  if [ ! -e nix.sh.out/virtualbox-nixops-18.03pre131587.b6ddb9913f2.vmdk ]; then
    vbox_url=http://nixos.org/releases/nixos/virtualbox-nixops-images/virtualbox-nixops-18.03pre131587.b6ddb9913f2.vmdk.xz
    echo "--> download ${vbox_url}"
    wget -c -O nix.sh.out/virtualbox-nixops-18.03pre131587.b6ddb9913f2.vmdk.xz.tmp ${vbox_url}
    mv nix.sh.out/virtualbox-nixops-18.03pre131587.b6ddb9913f2.vmdk.xz.tmp nix.sh.out/virtualbox-nixops-18.03pre131587.b6ddb9913f2.vmdk.xz
    unxz nix.sh.out/virtualbox-nixops-18.03pre131587.b6ddb9913f2.vmdk.xz
  fi
  if VBoxManage list vms | grep "${vm_name}" > /dev/null 2>&1; then
    echo "----> vm ${vm_name} exist already!"
  else
    VBoxManage createvm --name "${vm_name}" --ostype Linux26_64 --register
    VBoxManage guestproperty set "${vm_name}" /VirtualBox/GuestInfo/Charon/ClientPublicKey "$(cat nix.sh.out/key.pub)"
    VBoxManage guestproperty set "${vm_name}" /VirtualBox/GuestInfo/NixOps/PrivateHostEd25519Key "$(cat nix.sh.out/key)"                                                                                                              
    VBoxManage storagectl "${vm_name}" --name SATA --add sata --portcount 8 --bootable on --hostiocache on                                                                                                                            
    VBoxManage clonehd nix.sh.out/virtualbox-nixops-18.03pre131587.b6ddb9913f2.vmdk ~/"VirtualBox VMs"/"${vm_name}"/disk1.vdi --format VDI                                                                                            
    VBoxManage storageattach "${vm_name}" --storagectl SATA --port 0 --device 0 --type hdd --medium ~/"VirtualBox VMs"/"${vm_name}"/disk1.vdi                                                                                         
    VBoxManage modifyvm "${vm_name}" --memory 3072 --cpus 2 --vram 10 --nictype1 virtio --nictype2 virtio --nic2 hostonly --hostonlyadapter2 vboxnet0 --nestedpaging off --paravirtprovider kvm                                       
    VBoxManage guestproperty enumerate "${vm_name}"                                                                                                                                                                                   
    VBoxManage startvm "${vm_name}" --type headless                                                                                                                                                                                   
  fi                                                                                                                                                                                                                                  
  echo "--> wait ip to be generated, by patient..."
  ip="No value set!"
  while [ "$ip" = "No value set!" ]; do
    sleep 1
    ip=$(VBoxManage guestproperty get ${vm_name} /VirtualBox/GuestInfo/Net/1/V4/IP)
  done
  echo "---> VM CREATED SUCCESS WITH IP: ${ip}"
clojurians-org picture clojurians-org on 5 Aug 2018

For NixOS users stumbling into this, you may like to put trustedUsers = [ "root" "@wheel" ]; into your configuration.nix. (There are other "solutions", but I prefer this one.)

vcunat picture vcunat on 5 Jan 2019
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Infinisil picture Infinisil  路  3Comments
daraul picture daraul  路  3Comments
bflyblue picture bflyblue  路  3Comments
ericsagnes picture ericsagnes  路  4Comments
chexxor picture chexxor  路  4Comments