store URI: introduce multiple signatures support

Add a `secretKeyFiles` URI parameter in the store URIs receiving a coma-separated list of Nix signing keyfiles. For instance: nix copy --to "file:///tmp/store?secret-keys=/tmp/key1,/tmp/key2" \ "$(nix build --print-out-paths nixpkgs#hello)" The keys passed through this new store URI parameter are merged with the key specified in the `secretKeyFile` parameter, if any. We'd like to rotate the signing key for cache.nixos.org. To simplify the transition, we'd like to sign the new paths with two keys: the new one and the current one. With this, the cache can support nix configurations only trusting the new key and legacy configurations only trusting the current key. See https://github.com/NixOS/rfcs/pull/149 for more informations behind the motivation.
2025-06-25 06:31:14 +02:00 · 2025-04-08 17:41:38 +02:00 · 2025-04-08 17:41:38 +02:00 · e12369a68e
commit e12369a68e
parent e76bbe413e
3 changed files with 29 additions and 5 deletions
--- a/tests/functional/signing.sh
+++ b/tests/functional/signing.sh
@ -110,3 +110,13 @@ nix store verify --store "$TEST_ROOT"/store0 -r "$outPath2" --trusted-public-key

 # Content-addressed stuff can be copied without signatures.
 nix copy --to "$TEST_ROOT"/store0 "$outPathCA"
+
+# Test multiple signing keys
+nix copy --to "file://$TEST_ROOT/storemultisig?secret-keys=$TEST_ROOT/sk1,$TEST_ROOT/sk2" "$outPath"
+for file in "$TEST_ROOT/storemultisig/"*.narinfo; do
+    if [[ "$(grep -cE  '^Sig: cache[1,2]\.example.org' "$file")" -ne 2 ]]; then
+        echo "ERROR: Cannot find cache1.example.org and cache2.example.org signatures in ${file}"
+        cat "${file}"
+        exit 1
+    fi
+done