[SOLVED] Cannot nixos-rebuild to remote system due to "because it lacks a signature by a trusted key"

lunik1 · September 9, 2024, 11:13pm

When trying to run nixos-rebuild switch with a --target-host I get this error

copying path '/nix/store/h1v5xdkmhgyggsfbm42q205svwvkiy6j-nginx.conf' to 'ssh://mercury2'...
error: cannot add path '/nix/store/h1v5xdkmhgyggsfbm42q205svwvkiy6j-nginx.conf' because it lacks a signature by a trusted key
error: unexpected end-of-file

Looking around the discourse/GitHub the recommended solution is to add myself to trusted-users in nix.conf, but I have done this and receive the same error.

ElvishJerricco · September 9, 2024, 11:37pm

You have to tell it to log in as a trusted user (e.g. --target-host root@machine), or configure a secret-key-files in /etc/nix.conf so that derivations are signed before being copied over (in which case the target host needs the public key in its trusted-public-keys).

lunik1 · September 10, 2024, 10:52pm

Ah it was because I needed to add my user to trusted users on the remote machine.

ElvishJerricco · September 11, 2024, 1:15am

You should be aware that trusted users (at least on NixOS) have essentially password-less root access, because they can import and “repair” store paths with unsigned NARs.

papanito · February 14, 2025, 3:15pm

As newbie I need some advice. So I have to add the user to the /etc/nix.conf on the target system?

There is no /etc/nix.conf but /etc/nix/nix.conf which is read-only…

waffle8946 · February 14, 2025, 3:18pm

Yes, it’s /etc/nix/nix.conf, and yes, it’s readonly, because you’re meant to use the system config to configure it. See https://search.nixos.org/options?channel=24.11&from=0&size=50&sort=relevance&type=packages&query=nix.settings

papanito · February 14, 2025, 3:20pm

Yeah, so I added nix.settings.trusted-users = [ "admin" ]; to /hosts/envy/default.nix and run nixreb -us -h envy -r admin@10.0.0.11 but still get

(admin@10.0.0.11) Password: 
copying 1119 paths...
copying path '/nix/store/0r8gn45b89h5vwds757iq5h71i425wmz-unit--.slice' to 'ssh://admin@10.0.0.11'...
error: cannot add path '/nix/store/0r8gn45b89h5vwds757iq5h71i425wmz-unit--.slice' because it lacks a signature by a trusted key
error (ignored): error: writing to file: Broken pipe
error: unexpected end-of-file

My flake.nix looks like this

...
      envy = nixpkgs.lib.nixosSystem {
        specialArgs = { inherit inputs; };
        inherit system;
        modules = [
          ./configuration.nix
          ./hosts/envy # Include the results of the hardware scan.
          inputs.sops-nix.nixosModules.sops
        ];
      };
...

papanito · February 14, 2025, 3:35pm

Ok I have to add it on the target system, then update the system. Now I can run updates from my dev machine to the remote system