[err] Lacks a signature by a trusted key

Question

[err] Lacks a signature by a trusted key

Closed this issue 8 months ago · 2 comments

Hi people, thanks for this great action. I'm having an issue out of the blue, not sure how to proceed. The cache action has been working perfectly and today started throwing a lacks a signature. I couldn't find any comment or issue related, is there anything I can do to fix it?

This is the highlight from the logs:

error: cannot add path '/nix/store/s2f1sqfsdi4pmh23nfnrh42v17zsvi5y-libunistring-1.1' because it lacks a signature by a trusted key

My action looks like this:

      - uses: DeterminateSystems/nix-installer-action@main
        with:
          extra-conf: |
            trusted-users = root ${{ github.actor }}
            substituters = root ${{ github.actor }} https://cache.nixos.org
            sandbox = relaxed
       - uses: DeterminateSystems/magic-nix-cache-action@main

Action log

2024-03-09T06:06:29.2682055Z ##[group]Run DeterminateSystems/magic-nix-cache-action@main
2024-03-09T06:06:29.2682636Z with:
2024-03-09T06:06:29.2682931Z   use-gha-cache: true
2024-03-09T06:06:29.2683300Z   listen: 127.0.0.1:37515
2024-03-09T06:06:29.2683726Z   upstream-cache: https://cache.nixos.org
2024-03-09T06:06:29.2684526Z   diagnostic-endpoint: https://install.determinate.systems/magic-nix-cache/perf
2024-03-09T06:06:29.2685280Z   use-flakehub: true
2024-03-09T06:06:29.2685891Z   flakehub-cache-server: https://cache.flakehub.com
2024-03-09T06:06:29.2686543Z   flakehub-api-server: https://api.flakehub.com
2024-03-09T06:06:29.2687356Z   flakehub-flake-name: <redacted>
2024-03-09T06:06:29.2687924Z   startup-notification-port: 41239
2024-03-09T06:06:29.2688356Z env:
2024-03-09T06:06:29.2688639Z   REGISTRY: ghcr.io
2024-03-09T06:06:29.2690769Z   DETERMINATE_NIX_KVM: 0
2024-03-09T06:06:29.2691141Z ##[endgroup]
2024-03-09T06:06:29.3692589Z Fetching the Magic Nix Cache from https://install.determinate.systems/magic-nix-cache-closure/stable/X64-Linux
2024-03-09T06:06:30.0065368Z got an exception:
2024-03-09T06:06:30.0066904Z Error: Command failed: curl -L "https://install.determinate.systems/magic-nix-cache-closure/stable/X64-Linux" | xz -d | nix-store --import
2024-03-09T06:06:30.0068318Z   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
2024-03-09T06:06:30.0069115Z                                  Dload  Upload   Total   Spent    Left  Speed
2024-03-09T06:06:30.0069570Z 
2024-03-09T06:06:30.0069911Z   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
2024-03-09T06:06:30.0070775Z   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
2024-03-09T06:06:30.0072207Z error: cannot add path '/nix/store/s2f1sqfsdi4pmh23nfnrh42v17zsvi5y-libunistring-1.1' because it lacks a signature by a trusted key
2024-03-09T06:06:30.0073228Z 
2024-03-09T06:06:30.0073621Z   2 23.2M    2  508k    0     0   821k      0  0:00:29 --:--:--  0:00:29  821k
2024-03-09T06:06:30.0074324Z curl: (23) Failure writing output to destination
2024-03-09T06:06:30.0074722Z 
2024-03-09T06:06:30.0113855Z ##[error]Command failed: curl -L "https://install.determinate.systems/magic-nix-cache-closure/stable/X64-Linux" | xz -d | nix-store --import
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
error: cannot add path '/nix/store/s2f1sqfsdi4pmh23nfnrh42v17zsvi5y-libunistring-1.1' because it lacks a signature by a trusted key

  2 23.2M    2  508k    0     0   821k      0  0:00:29 --:--:--  0:00:29  821k
curl: (23) Failure writing output to destination

2024-03-09T06:06:30.0126158Z node:internal/errors:866
2024-03-09T06:06:30.0126615Z   const err = new Error(message);
2024-03-09T06:06:30.0127046Z               ^
2024-03-09T06:06:30.0127258Z 
2024-03-09T06:06:30.0128382Z Error: Command failed: curl -L "https://install.determinate.systems/magic-nix-cache-closure/stable/X64-Linux" | xz -d | nix-store --import
2024-03-09T06:06:30.0129765Z   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
2024-03-09T06:06:30.0130567Z                                  Dload  Upload   Total   Spent    Left  Speed
2024-03-09T06:06:30.0131008Z 
2024-03-09T06:06:30.0131346Z   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
2024-03-09T06:06:30.0132115Z   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
2024-03-09T06:06:30.0133510Z error: cannot add path '/nix/store/s2f1sqfsdi4pmh23nfnrh42v17zsvi5y-libunistring-1.1' because it lacks a signature by a trusted key
2024-03-09T06:06:30.0134884Z 
2024-03-09T06:06:30.0135290Z   2 23.2M    2  508k    0     0   821k      0  0:00:29 --:--:--  0:00:29  821k
2024-03-09T06:06:30.0136000Z curl: (23) Failure writing output to destination
2024-03-09T06:06:30.0136398Z 
2024-03-09T06:06:30.0136687Z     at ChildProcess.exithandler (node:child_process:422:12)
2024-03-09T06:06:30.0137344Z     at ChildProcess.emit (node:events:514:28)
2024-03-09T06:06:30.0137938Z     at maybeClose (node:internal/child_process:1105:16)
2024-03-09T06:06:30.0138698Z     at ChildProcess._handle.onexit (node:internal/child_process:305:5) {
2024-03-09T06:06:30.0139354Z   code: 1,
2024-03-09T06:06:30.0139642Z   killed: false,
2024-03-09T06:06:30.0139969Z   signal: null,
2024-03-09T06:06:30.0141041Z   cmd: 'curl -L "https://install.determinate.systems/magic-nix-cache-closure/stable/X64-Linux" | xz -d | nix-store --import',
2024-03-09T06:06:30.0142101Z   stdout: '',
2024-03-09T06:06:30.0142842Z   stderr: '  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current\n' +
2024-03-09T06:06:30.0144002Z     '                                 Dload  Upload   Total   Spent    Left  Speed\n' +
2024-03-09T06:06:30.0145102Z     '\r  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0\r  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0\n' +
2024-03-09T06:06:30.0146767Z     "error: cannot add path '/nix/store/s2f1sqfsdi4pmh23nfnrh42v17zsvi5y-libunistring-1.1' because it lacks a signature by a trusted key\n" +
2024-03-09T06:06:30.0148247Z     '\r  2 23.2M    2  508k    0     0   821k      0  0:00:29 --:--:--  0:00:29  821k\n' +
2024-03-09T06:06:30.0149081Z     'curl: (23) Failure writing output to destination\n'
2024-03-09T06:06:30.0253744Z }
2024-03-09T06:06:30.0253926Z 
2024-03-09T06:06:30.0254044Z Node.js v20.8.1

Thanks!

Answer 1 · 2024-05-10T20:52:47.000Z

Hi @woile sorry for the delay. Try removing theline about the trusted users:

      - uses: DeterminateSystems/nix-installer-action@main
        with:
          extra-conf: |
            trusted-users = root ${{ github.actor }}            <-- this one

the Nix installer action automatically makes the github runner user trusted by default. If that doesn't fix it, let me know.

By the way, I just merged #52 which makes the error less of an error if the runner isn't trusted.

Answer 2 · 2024-05-11T05:10:50.000Z

Seems to be working again, thanks for the help 👍🏻 it's back to half the time it takes 💪🏻
I think I introduced the trusted-users, along with the sandbox = relaxed because it was the only way to build a nextjs app.