Write access control for binary caches

As Cachix is growing, I have noticed a few issues along the way: Signing keys are still the best way to upload content and not delegate trust to Cachix, but users have also found that they can be difficult to manage, particularly if the secret key needs to be rotated.

At this point, the best option is to clear out the cache completely, and re-sign everything with a newly generated key. Since the clients require the public key, rolling out a new key-pair can be somewhat complicated.

This is why today I introduce a second way of operating. Both modes will be available and supported going forward.

API tokens and managed signing for write access control

Newly created binary caches can opt out of letting Cachix manage the signing and instead use API tokens to grant and revoke access for writing to a binary cache.

It is possible to create per-cache read and write tokens and grant user access via GitHub orgs/teams.

Note that this feature only works with the recently released Cachix 0.5.1 and cachix-action-v8.

Simplified setup

Managed signing also simplifies secret management when setting up clients.

There’s now only the secret auth token that you can expose via the environment variable CACHIX_AUTH_TOKEN or via configuration file by running cachix authtoken.

Transition to API tokens for write access

For the moment, the platform doesn’t allow transitioning.

If you would like to transition an existing binary cache to managed signing, please email me at [email protected]

Next up

Using API tokens allows tracking of each pushed entry and what token pushed it.

Currently it is only possible to share personal access using GitHub integration, but that will change in the next few weeks as I add support for logging in using email.

Domen