Background

For the sake of building stuff faster, I often use remote builds in a bit of a nonstandard way, e.g.:

$ nix-build --store ssh-ng://lugn
$ nix copy -f . '' --from ssh-ng://lugn

This allows building remotely without copying the whole dependency graph to my laptop. However:

warning: substituter 'ssh-ng://lugn' does not have a valid signature for path '/nix/store/40sd21158yhpjj3lfrmd98xhpiaryrax-nixos-mobile_xiaomi-tissot_boot.img-aarch64-unknown-linux-gnu'
warning: substituter 'ssh-ng://lugn' does not have a valid signature for path '/nix/store/ahfckgq2idpjmg79w6p9k841zakxf49r-initrd-xiaomi-tissot'
warning: substituter 'ssh-ng://lugn' does not have a valid signature for path '/nix/store/bsglymjabrxmhkw13xj503jw39rcam3l-linux-3.18.71-aarch64-unknown-linux-gnu'
warning: substituter 'ssh-ng://lugn' does not have a valid signature for path '/nix/store/8n7y802dmjhpggbss5xb8jcyyzd9nrpy-stdenv-linux'
warning: substituter 'ssh-ng://lugn' does not have a valid signature for path '/nix/store/zxng7pndc5rw4k5sqknhapaplvin9lk9-aarch64-unknown-linux-gnu-stage-final-gcc-debug-wrapper-6.5.0'
[...]

⇒ my laptop will start building everything itself. I'd also prefer not to use the blanket --no-require-sigs option.

Suggestion

If no secret-key-files are specified in the nix config, the option should default to /etc/nix/secret-key, and this file should be generated automatically along with /etc/nix/public-key if it doesn't exist, using the machine's hostname as a key name. This makes it easier to track where builds come from when using nix copy or remote builds, and allows using nix copy without --no-require-sigs.

This allows me:

• to copy paths from individual machines without setting them up to sign builds manually and without using --no-require-sigs
• Later on, to track down paths to where they were built after they have been copied around between multiple machines.