diff --git a/tests/cache-keys/privkey b/tests/cache-keys/privkey
new file mode 100644
index 0000000..ed213db
--- /dev/null
+++ b/tests/cache-keys/privkey
@@ -0,0 +1 @@
+do.not.use-1:+Vtfnroj2hvBFPf5Vf6EXNn1kY9kJmgmrkOG23Qi451PUUA6e0PhhwoUpMybaMjNn2BhED781Jf9+NjPgUs1Lw==
\ No newline at end of file
diff --git a/tests/cache-keys/pubkey b/tests/cache-keys/pubkey
new file mode 100644
index 0000000..417ee4b
--- /dev/null
+++ b/tests/cache-keys/pubkey
@@ -0,0 +1 @@
+do.not.use-1:T1FAOntD4YcKFKTMm2jIzZ9gYRA+/NSX/fjYz4FLNS8=
\ No newline at end of file
diff --git a/tests/default.nix b/tests/default.nix
index 3ae1bfc..6278595 100644
--- a/tests/default.nix
+++ b/tests/default.nix
@@ -5,4 +5,5 @@ let
 in
 {
   basic = pkgs.callPackage ./basic.nix { };
+  signature = pkgs.callPackage ./signature.nix { };
 }
diff --git a/tests/signature.nix b/tests/signature.nix
new file mode 100644
index 0000000..5043f80
--- /dev/null
+++ b/tests/signature.nix
@@ -0,0 +1,74 @@
+{ pkgs }:
+let
+  #hello = pkgs.hello.overrideAttrs { pname = "custom-hello"; };
+  inherit (pkgs) hello;
+in
+pkgs.testers.runNixOSTest (_: {
+  name = "cache signature upload test";
+  nodes = {
+    cache =
+      { config, ... }:
+      {
+        imports = [
+          ./common
+          ../modules
+        ];
+
+        system.extraDependencies = [ hello ];
+
+        services.tvix-binary-cache = {
+          enable = true;
+          caches = {
+            cache.port = 8000;
+          };
+        };
+
+        services.nginx = {
+          enable = true;
+          recommendedProxySettings = true;
+          virtualHosts.cache = {
+            default = true;
+            locations = {
+              "/cache".return = "302 /cache/";
+              "/cache/" = {
+                proxyPass = "http://localhost:${toString config.services.tvix-binary-cache.caches.cache.port}/";
+              };
+            };
+            extraConfig = "client_max_body_size 1G;";
+
+          };
+        };
+        networking.firewall.allowedTCPPorts = [ 80 ];
+      };
+    client =
+      { lib, ... }:
+      {
+        imports = [ ./common ];
+        nix.settings = {
+          substituters = lib.mkForce [ "http://cache/cache" ];
+          trusted-public-keys = lib.mkForce [ (builtins.readFile ./cache-keys/pubkey) ];
+        };
+      };
+  };
+  testScript = ''
+    import sys
+    import time
+    start_all()
+    cache.wait_for_unit("nginx.service")
+    cache.wait_for_unit("nar-bridge-cache.service")
+    time.sleep(1)
+    with subtest("Nar bridge home"):
+        out = cache.succeed("curl -L http://127.0.0.1/cache")
+        if out != "nar-bridge":
+            sys.exit(1)
+    with subtest("Path signature and copy"):
+        # Sign
+        cache.succeed("nix store sign -k ${./cache-keys/privkey} ${hello}")
+        cache.succeed("nix copy --to 'http://127.0.0.1/cache/?compression=none' ${hello}")
+    with subtest("Substitution"):
+        client.succeed("nix-store --delete ${hello}")
+        client.fail("stat ${hello}")
+        client.succeed("nix-store -r ${hello}")
+        client.succeed("stat ${hello}")
+  '';
+})