Fix it!

tests/build-remote-trustless-after.sh

@@ -0,0 +1,2 @@
+outPath=$(readlink -f $TEST_ROOT/result)
+grep 'FOO BAR BAZ' ${remoteDir}/${outPath}

tests/build-remote-trustless-should-fail-0.sh

@@ -1,11 +1,25 @@
 source common.sh
 
-# We act as if remote trusts us, but it doesn't. This fails since we are
-# building input-addressed derivations with `buildDerivation`, which
-# depends on trust.
+[[ $busybox =~ busybox ]] || skipTest "no busybox"
+
+unset NIX_STORE_DIR
+unset NIX_STATE_DIR
+
+# We first build a dependency of the derivation we eventually want to
+# build.
+nix-build build-hook.nix -A passthru.input2 \
+  -o "$TEST_ROOT/input2" \
+  --arg busybox "$busybox" \
+  --store "$TEST_ROOT/local" \
+  --option system-features bar
+
+# Now when we go to build that downstream derivation, Nix will try to
+# copy our already-build `input2` to the remote store. That store object
+# is input-addressed, so this will fail.
+
 file=build-hook.nix
 prog=$(readlink -e ./nix-daemon-untrusting.sh)
 proto=ssh-ng
-trusting=true
 
-! source build-remote-trustless.sh
+expectStderr 1 source build-remote-trustless.sh \
+    | grepQuiet "cannot add path '[^ ]*' because it lacks a signature by a trusted key"

tests/build-remote-trustless-should-pass-0.sh

@@ -1,9 +1,9 @@
 source common.sh
 
-# Remote trusts us but we pretend it doesn't.
+# Remote trusts us
 file=build-hook.nix
 prog=nix-store
 proto=ssh
-trusting=false
 
 source build-remote-trustless.sh
+source build-remote-trustless-after.sh

tests/build-remote-trustless-should-pass-1.sh

@@ -1,9 +1,9 @@
 source common.sh
 
-# Remote trusts us but we pretend it doesn't.
+# Remote trusts us
 file=build-hook.nix
 prog=nix-daemon
 proto=ssh-ng
-trusting=false
 
 source build-remote-trustless.sh
+source build-remote-trustless-after.sh

tests/build-remote-trustless-should-pass-2.sh

@@ -1,9 +1,9 @@
 source common.sh
 
-# Remote doesn't trust us nor do we think it does
+# Remote doesn't trust us
 file=build-hook.nix
 prog=$(readlink -e ./nix-daemon-untrusting.sh)
 proto=ssh-ng
-trusting=false
 
 source build-remote-trustless.sh
+source build-remote-trustless-after.sh

tests/build-remote-trustless-should-pass-3.sh

@@ -1,10 +1,10 @@
 source common.sh
 
-# We act as if remote trusts us, but it doesn't. This is fine because we
-# are only building (fixed) CA derivations.
+# Remote doesn't trusts us, but this is fine because we are only
+# building (fixed) CA derivations.
 file=build-hook-ca-fixed.nix
 prog=$(readlink -e ./nix-daemon-untrusting.sh)
 proto=ssh-ng
-trusting=true
 
 source build-remote-trustless.sh
+source build-remote-trustless-after.sh

tests/build-remote-trustless.sh

@@ -1,16 +1,14 @@
-if ! canUseSandbox; then exit; fi
-if ! [[ $busybox =~ busybox ]]; then exit; fi
+requireSandboxSupport
+[[ $busybox =~ busybox ]] || skipTest "no busybox"
 
 unset NIX_STORE_DIR
 unset NIX_STATE_DIR
 
+remoteDir=$TEST_ROOT/remote
+
 # Note: ssh{-ng}://localhost bypasses ssh. See tests/build-remote.sh for
 # more details.
-nix build -L -v -f $file -o $TEST_ROOT/result --max-jobs 0 \
+nix-build $file -o $TEST_ROOT/result --max-jobs 0 \
   --arg busybox $busybox \
   --store $TEST_ROOT/local \
-  --builders "$proto://localhost?remote-program=$prog&trusting=$trusting&remote-store=$TEST_ROOT/remote%3Fsystem-features=foo%20bar%20baz - - 1 1 foo,bar,baz"
-
-outPath=$(readlink -f $TEST_ROOT/result)
-
-grep 'FOO BAR BAZ' $TEST_ROOT/${subDir}/local${outPath}
+  --builders "$proto://localhost?remote-program=$prog&remote-store=${remoteDir}%3Fsystem-features=foo%20bar%20baz - - 1 1 foo,bar,baz"