This repository aims to give a set of tools that can be used to create a hash collection mechanism for Nix. A hash collection infrastructure is used to collect and compare build outputs from different trusted builders.
This project is composed of two parts:
- A post-build-hook, that his a software running after each of Nix builds and in charge to report the hashes of the outputs
- A server to aggregate the results
Set up your keys with:
nix key generate-secret --key-name username-hash-collection > secret.key
Hashes reports are only allowed from trusted users, which are identified via a token.
To generate a token run ./create_user "username"
Run the server with uvicorn web:app --reload
services.hash-collection = {
enable = true;
collection-url = "server url";
tokenFile = "/token/path";
secretKeyFile = "/secret/key/path";
};
At the time of writing only reports on run-time closures are supported. Reporting is experimental and still expected to evolve, change, and grow support for build-time closures as well.
You define a report by uploading a JSON CycloneDX SBOM as produced by nix-runtime-tree-to-sbom:
$ nix-store -q --tree $(nix-build '<nixpkgs/nixos/release-combined.nix>' -A nixos.iso_gnome.x86_64-linux) > tree.txt
$ cat tree.txt | ~/dev/nix-runtime-tree-to-sbom/tree-to-cyclonedx.py > sbom.cdx.json
$ export HASH_COLLECTION_TOKEN=XYX # your token
$ curl -X PUT --data @sbom.cdx.json "http://localhost:8000/reports/gnome-iso-runtime" -H "Content-Type: application/json" -H "Authorization: Bearer $HASH_COLLECTION_TOKEN"
If you want to populate the report with hashes from different builders (e.g. from cache.nixos.org and from your own rebuilds), use separate tokens for the different sources.
$ nix shell .#utils
$ export HASH_COLLECTION_TOKEN=XYX # your token for the cache.nixos.org import
$ ./fetch-from-cache.sh
This script is still very much WIP, and will enter an infinite loop retrying failed fetches.
Make sure you have the post-build hook and diff hook configured as documented above.
TODO you have to make sure all derivations are available for building on your system - is there a smart way to do that?
$ export HASH_COLLECTION_TOKEN=XYX # your token for the cache.nixos.org import
$ ./rebuilder.sh
This script is still very much WIP, and will enter an infinite loop retrying failed fetches. You can run multiple rebuilders in parallel.
- nix-reproducible-builds-report aka
r13y
, which generates the reports at https://reproducible.nixos.org. Ideally the reporting feature can eventually replace the reports there. - rebuilderd provides distribution-agnostic container-based rebuild infrastructure. There is some preliminary Nix support but it is geared towards 'packages' rather than 'derivations' and that data model mismatch is somewhat awkward.
- trustix has somewhat similar goals, but is more ambitious:
nix-hash-collection
only aims for something simple in the short term, just basically CRUD collection of hashes and some simple scripts around it.trustix
has a more elaborate design with multiple transparency logs that are self-hosted by the attesters, and aims to support more advanced use cases, such as showing the aggregating system is not 'lying by omission' and perhaps showing that submitters aren't providing contradicting statements.