| 26 Feb 2024 |
 tomberek | "nix path-info --json" can show you the signatures. How are you signing the packages right now in Hydra? | 11:32:49 |
 martiert | I just set nix.extraOptions = "secret-key-files ...";, which as far as I understood should be what hydra uses when we just the the local store? | 12:07:45 |
| martiert | or am I completely misunderstanding this part? | 12:21:59 |
| martiert | hmmm.. Guess I have missunderstood, as stuff is not signed | 12:23:22 |
| tomberek | That would apply only for built paths (not substituted) and local (not remote builders). You may be looking for the hydra store_uri option with a query parameter to specify the key. | 12:33:44 |
| martiert | ack, thanks. I'll look at that | 13:04:03 |
| martiert | is it valid to say store_uri = file:///nix/store?secret-key=/my/secret/key? | 13:07:10 |
| tomberek | Yes, but if memory serves, you may want "local?secret-key..." so that it talks to the daemon. | 18:04:49 |
| martiert | store_uri = "local?secret-key=..." gives me error: don't know how to open Nix store | 18:15:38 |
| martiert | should it be localhost, or maybe s3://localhost ? | 18:15:56 |
| martiert | think I found it out. Needs to be store_uri = daemon?secret_key=... And without quoting the URI like I did | 18:29:33 |
| tomberek | There we go. Possible that "auto" can work. | 18:36:44 |
| tomberek | The idea is that that store setting should ensure the packages are all signed as they are created. | 18:37:17 |
| martiert | yeah, so packages already created would not be signed then? And I would potentially need to manually sign them? | 18:37:56 |
| martiert | hmmm... for some reason it's still failing to verify. I tried manually signing a package, and I see it is signed, but not with a key in the trusted-public-keys, though my key is in there. | 18:39:57 |
| martiert | I made the key with nix key generate-secret --key-name hydra.localdomain > secret_keyfile, and the public key using cat secret_keyfile | nix key convert-secret-to-public | 18:44:31 |
| martiert | though I generated them on another machine, and put them on the hydra server using agenix, but that shouldn't matter I think | 18:45:07 |
| martiert | hmmm... I do see it's signed if I query the path directly on the hydra server, but there is no signature if I do curl http://hydra.localdomain/<somehash>.narinfo Can I do anything to retroactively sign a store path? | 18:58:24 |
| tomberek | Yes, nix store sign can help you here. There are some UX issues with signing. I wrote some of that down here: https://github.com/NixOS/nix/issues/6960#issuecomment-1383352182 | 19:01:17 |
| martiert | I did try nix store sign --recursive --key-file /run/agenix/my_keyfile /nix/store/<hash>-linux-6.7.3, which is signed if I check it locally, but not if I try to query it from remote. So I guess I should use nix copy --to "daemon?secret-key=/run/agenix/my_keyfile"(?) but that looks for a flake.nix | 19:09:56 |
| martiert | which fails due to the secret-key option not being recognized. | 19:36:45 |
| martiert | Guess the easiest is to just wait for the next update that runs the builds again and just let hydra fix it for me :) | 19:47:52 |
 K900 | https://github.com/NixOS/hydra/pull/1364 should be good to merge now | 19:49:32 |
 raitobezarius | I mentioned to the governance channel that I'd like to discuss sunsetting/archiving the Hydra repository of nixos/ in https://matrix.to/#/!VyoUhyWvlhSpFWWxHL:matrix.org/$u9xOox5KLllPqyj72dwxUniBCoB5ejRSj0IqeSYSsPI?via=nixos.org&via=matrix.org&via=hufschmitt.net which is of interest to this channel | 20:19:31 |
| 28 Feb 2024 |
| martiert | I'm still not getting the hydra built packages signed. My definition for the hydra worker can be found in: https://github.com/martiert/nixos-config/blob/main/hosts/mattrim/default.nix are anyone able to see why it's not getting signed? | 08:11:09 |
| martiert | I see nothing is signed regardless if I run nix path-info --json or curl https://hydra.localdomain/outputhash.narinfo | 08:13:45 |
|  @/yvan:matrix.org left the room. | 15:45:47 |
| 29 Feb 2024 |
| tomberek | Would people be interested in a "Hydra Users call"? A chance to give voice to people using Hydra and to collaborate with each other? | 00:31:09 |
 Rick (Mindavi) | I would like to join such a call | 17:40:27 |
| K900 | In reply to@k900:0upti.me
https://github.com/NixOS/hydra/pull/1364 should be good to merge now Bump, btwq | 17:57:43 |
