Describe the bug

On Nix 2.9.2 when signing/uploading store paths in CI using post-build-hook as suggested by the manual, unsigned derivations get uploaded to S3.

Steps To Reproduce

1. Set up a post-build-hook as per the manual:

   #!/bin/sh
   
   set -eu
   set -f # disable globbing
   export IFS=' '
   
   echo "Signing paths" \$OUT_PATHS
   $(which nix) store sign --key-file /etc/nix/bellroy-nix-cache.private \$OUT_PATHS
   echo "Uploading paths" \$OUT_PATHS
   exec $(which nix) copy --to 's3://bellroy-nix-cache' \$OUT_PATHS

2. Build a bunch of stuff
3. On a machine with a fresh store (e.g., new CI instance, nix store gc, ...),
4. See a lot of warning: the substitute for '/nix/store/whatever' from 's3://cache-bucket' is not signed by any of the keys in 'trusted-public-keys'

Expected behavior

All derivations uploaded to S3 are signed. I have confirmed that some of the derivations that make it to S3 are unsigned by using nix path-info --json --sigs --store s3://cache-bucket /nix/store/whatever | jq.

Additional context

Nix 2.7 seems to work fine; Nix 2.8 was affected by #6446 which passed no paths at all to the post build hook. I suspect that leaves might be getting signed but not intermediate derivations; I'm not sure how to verify this. Should I be passing -r to nix store sign? I can see little difference in how nix store sign is implemented between versions 2.7.0 and 2.9.2.

This makes me suspect the way the post-build-hook is invoked. On Nix 2.7.0:

On Nix 2.9.2:

But I don't know enough about Nix internals to know whether or not it's safe to go back to using finalOutputs here.