RS256 support breaks config checking

[jzbor]

I am using the provided NixOS module together with the package from nixpkgs. Sadly #177 seems to have broken config checking for me. I checked 61ebdef and everything still works fine, so this seems to be some regression caused by the new RS256 code.

Error log:

warning: The interpretation of store paths arguments ending in `.drv` recently changed. If this command is now failing try again with '/nix/store/zpjp2b5m12ss499x8dy48zb1faf3z4i7-checked-attic-server.toml.drv^*'
api-endpoint = "https://*********/"
listen = "[::]:8080"

[chunking]
avg-size = 65536
max-size = 262144
min-size = 16384
nar-size-threshold = 65536

[database]
url = "sqlite:///var/lib/atticd/server.db?mode=rwc"

[garbage-collection]
default-retention-period = "3 months"
interval = "24 hours"

[storage]
path = "/var/lib/atticd/storage"
type = "local"
Attic Server 0.1.0 (release)
thread 'main' panicked at server/src/config.rs:245:10:
The HS256 secret must be specified in either token_hs256_secret or the ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64 environment.: NotPresent
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

I am a little confused, as the module itself did not change and I am using the package from nixpkgs/nixos-24.05. The issue might stem from ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64 being exported while ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64 is expected:

attic/nixos/atticd.nix

Line 19 in 1b29816

export ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64="$(${pkgs.openssl}/bin/openssl genrsa -traditional 4096 | ${pkgs.coreutils}/bin/base64 -w0)"

[jzbor]

Oh I assumed RS256 was now supported in addition to HS256. It seems like this is not the case, so feel free to close the issue if this is expected behavior.

[jzbor]

In this case however I would be interested what the migration path for old setups using environment variables for secret configuration is. It does not seem to be outlined in #177 .

[zhaofengli]

Oh I assumed RS256 was now supported in addition to HS256. It seems like this is not the case, so feel free to close the issue if this is expected behavior.

HS256 is still supported, and it's not expected behavior.

The HS256 secret must be specified in either token_hs256_secret or the ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64 environment.: NotPresent
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Make sure you are actually using the newer version of Attic with the new module. This error message was removed in #177.

---

Edit: Ah I missed

I am using the provided NixOS module together with the package from nixpkgs.

This doesn't work because the nixpkgs version hasn't been bumped to support RS256. In general, we don't want to support mixing the versions like this, but I opened #185 for this specific case since setting a hardcoded HS256 secret for the config check seems nicer than generating an RS256 keypair every time.

[jzbor]

In general, we don't want to support mixing the versions like this

Yeah this is what I thought and I am completely fine with that. I understand supporting multiple versions in the module can be a PITA and just pinning the module in cases like this works for me. Thanks for looking into it anyway!

[adamcstephens]

I’ve started NixOS/nixpkgs#347749 to provide a module in nixpkgs. I plan to finish the hardening this weekend but open to feedback.