From 971382cab0c8ee057706e3dd4a124252d6b3547d Mon Sep 17 00:00:00 2001
From: Gavin Ray <ray.gavin97@gmail.com>
Date: Wed, 8 Dec 2021 19:55:34 -0500
Subject: [PATCH 1/2] Better diagnostics if no valid signature found

I downloaded Nix tonight, and immediately broke it by accidentally removing the default binary caching.
After figuring this out, I also failed to fix it properly, due to using the wrong key for Nix's default binary cache

If the diagnostic message would have been clearer about what/where a "signature" for a "substituter" is + comes from, it probably would have saved me a few hours.
Maybe we can save other noobs the same pain?
---
 src/libstore/build/substitution-goal.cc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/libstore/build/substitution-goal.cc b/src/libstore/build/substitution-goal.cc
index 29a8cfb87..4c3701b27 100644
--- a/src/libstore/build/substitution-goal.cc
+++ b/src/libstore/build/substitution-goal.cc
@@ -140,6 +140,8 @@ void PathSubstitutionGoal::tryNext()
     {
         warn("substituter '%s' does not have a valid signature for path '%s'",
             sub->getUri(), worker.store.printStorePath(storePath));
+        warn("verify that your nix.conf contains a correct signature in 'trusted-public-keys' for %s",
+            sub->getUri());
         tryNext();
         return;
     }

From 3542d4fe16822bcd94433bf9393fbe17a5297948 Mon Sep 17 00:00:00 2001
From: Gavin Ray <ray.gavin97@gmail.com>
Date: Fri, 10 Dec 2021 19:02:22 -0500
Subject: [PATCH 2/2] Incorporate suggestions from @edolstra

---
 src/libstore/build/substitution-goal.cc | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/libstore/build/substitution-goal.cc b/src/libstore/build/substitution-goal.cc
index 4c3701b27..5ecf1da7e 100644
--- a/src/libstore/build/substitution-goal.cc
+++ b/src/libstore/build/substitution-goal.cc
@@ -138,10 +138,8 @@ void PathSubstitutionGoal::tryNext()
        only after we've downloaded the path. */
     if (!sub->isTrusted && worker.store.pathInfoIsUntrusted(*info))
     {
-        warn("substituter '%s' does not have a valid signature for path '%s'",
-            sub->getUri(), worker.store.printStorePath(storePath));
-        warn("verify that your nix.conf contains a correct signature in 'trusted-public-keys' for %s",
-            sub->getUri());
+        warn("the substitute for '%s' from '%s' is not signed by any of the keys in 'trusted-public-keys'",
+            worker.store.printStorePath(storePath), sub->getUri());
         tryNext();
         return;
     }