Write access control for binary caches


As Cachix is growing, I have noticed a few things along the way by observing the issues that came up: Signing keys are still the best way to upload content and not delegate the trust to Cachix, but users also found out that they can be difficult to manage.

In particular if the secret key need to be rotated, be it because it was leaked by mistake, or when a colleague is leaving.

At this point, the best option is to clear out the cache completely, and re-sign everything with a newly generated key. Since the clients also rely on the public key, rolling out a new key-pair can be somewhat complicated.

This is why today I introduce a second way of operating. Both modes will be available and supported going forwards.

API tokens and managed signing for write access control

Newly created binary caches can opt-out to let Cachix manage the signing and use API tokens lifecycle to grant and revoke access for writing to a binary cache.

It is possible to create per-cache read and write tokens and grant user access via GitHub orgs/teams.

Note that this feature only works with recently released Cachix 0.5.1 and cachix-action-v8.

Simplified setup

Managed signing also simplifies secret management when setting up clients.

There’s now only auth token secret and you can expose via environment variable CACHIX_AUTH_TOKEN or via configuration file by running cachix authtoken.

Transition to API tokens for write access

For the moment, the platform doesn’t allow transitioning.

If you would like to transition an existing binary cache to managed signing, please email me at [email protected]

Next up

Using API tokens allows to track for each pushed entry what token pushed it.

Currently it is only possible to share personal access using GitHub integration, but that’s going to change in the next few weeks as I add support for logging in using an email.

Domen