Merge pull request #3921 from obsidiansystems/trustless-remote-builder-simple

Trustless remote building for input-addressed drvs

tests/build-remote-trustless-should-fail-0.sh

@@ -17,13 +17,13 @@ nix-build build-hook.nix -A passthru.input2 \
   --store "$TEST_ROOT/local" \
   --option system-features bar
 
-# Now when we go to build that downstream derivation, Nix will fail
-# because we cannot trustlessly build input-addressed derivations with
-# `inputDrv` dependencies.
+# Now when we go to build that downstream derivation, Nix will try to
+# copy our already-build `input2` to the remote store. That store object
+# is input-addressed, so this will fail.
 
 file=build-hook.nix
 prog=$(readlink -e ./nix-daemon-untrusting.sh)
 proto=ssh-ng
 
 expectStderr 1 source build-remote-trustless.sh \
-    | grepQuiet "you are not privileged to build input-addressed derivations"
+    | grepQuiet "cannot add path '[^ ]*' because it lacks a signature by a trusted key"

tests/build-remote-trustless-should-pass-2.sh

@@ -0,0 +1,13 @@
+source common.sh
+
+enableFeatures "daemon-trust-override"
+
+restartDaemon
+
+# Remote doesn't trust us
+file=build-hook.nix
+prog=$(readlink -e ./nix-daemon-untrusting.sh)
+proto=ssh-ng
+
+source build-remote-trustless.sh
+source build-remote-trustless-after.sh

tests/local.mk

@@ -72,6 +72,7 @@ nix_tests = \
   build-remote-content-addressed-floating.sh \
   build-remote-trustless-should-pass-0.sh \
   build-remote-trustless-should-pass-1.sh \
+  build-remote-trustless-should-pass-2.sh \
   build-remote-trustless-should-pass-3.sh \
   build-remote-trustless-should-fail-0.sh \
   nar-access.sh \