nix copy --to s3:// will copy unsigned paths to binary cache even if --no-check-sigs isn't used

[arianvp]

Describe the bug

nix copy --to s3:// seems to happily copy unsigned paths to a bucket. Which is very frustrating as that does not align with the docs of nix copy

Especially when you accidentally mis-type secret-key param. I did:

nix copy --to 's3://my-bucket?secret-key-file=my-secret-key-file' $(nix-build)

but secret-key-file should've been secret-key. Instead of failing to upload an unsigned path; nix copy silently copied over an unsigned path!

Steps To Reproduce

$ out=$(nix-build)
$ nix copy --to s3://my-bucket $out

Expected behavior

Nix should refuse copying unsigned store paths to an S3 bucket as --no-check-sigs has not been passed.

Metadata

Additional context

nix/src/libstore/binary-cache-store.cc

Line 131 in db7577a

ref<const ValidPathInfo> BinaryCacheStore::addToStoreCommon(

seems to completely ignore the checkSigs argument passed to the function? We should probably check something here

Checklist

• checked latest Nix manual (source)
• checked open bug issues and pull requests for possible duplicates

---

Add 👍 to issues you find important.

[arianvp]

For example, copying the same to a local chroot store does fail:

$ nix copy --to ./store $(nix-build)
error: cannot add path '/nix/store/f2zx202h8skav3zaq7ajrg5bnm1q54sq-hello' because it lacks a signature by a trusted key

Copying to a local binary cache has the same bug:

$ nix copy --to file:///tmp/store $(nix-build)

silently succeeds.

So the bug seems to be in binary-cache-store.cc

[arianvp]

Even more frustratingly; once you've copied; nix copy doesn't overwrite the narinfo file anymore.

So you can't just rerun nix store sign $out && nix copy --to s3:// out

Instead you have to do nix store sign --store s3 $out

[arianvp]

it's also very hard to recover from accidentally pushing unsigned paths as .narinfo content is cached by nix client-side.