From a2a8cb10ac17e03691b9f73ae14e5b6edbe66f4e Mon Sep 17 00:00:00 2001
From: John Ericson <git@JohnEricson.me>
Date: Thu, 22 Sep 2022 14:36:26 -0400
Subject: [PATCH] Dodge "trusted" vs "trustworthy" by being explicit

Hopefully this is best!
---
 src/libstore/globals.hh           | 12 +++++++++---
 src/libstore/local-store.cc       |  4 ++--
 src/nix/make-content-addressed.md |  2 +-
 src/nix/verify.cc                 |  2 +-
 tests/signing.sh                  |  2 +-
 5 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index fb8f810c2..e2bb0ffc9 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -560,9 +560,15 @@ public:
         R"(
           If set to `true` (the default), any non-content-addressed path added
           or copied to the Nix store (e.g. when substituting from a binary
-          cache) must have a trustworthy signature, that is, be signed using one of
-          the keys listed in `trusted-public-keys` or `secret-key-files`. Set
-          to `false` to disable signature checking.
+          cache) must have a signature by a key we trust. A trusted key is one
+          listed in `trusted-public-keys`, or a public key counterpart to a
+          private key stored in a file listed in `secret-key-files`.
+          
+          Set to `false` to disable signature checking and trust all
+          non-content-addressed paths unconditionally.
+          
+          (Content-addressed paths are inherently trustworthy and thus
+          unaffected by this configuration option.)
         )"};
 
     Setting<StringSet> extraPlatforms{
diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc
index b64ae6080..d374d4558 100644
--- a/src/libstore/local-store.cc
+++ b/src/libstore/local-store.cc
@@ -751,7 +751,7 @@ void LocalStore::registerDrvOutput(const Realisation & info, CheckSigsFlag check
     if (checkSigs == NoCheckSigs || !realisationIsUntrusted(info))
         registerDrvOutput(info);
     else
-        throw Error("cannot register realisation '%s' because it lacks a trustworthy signature", info.outPath.to_string());
+        throw Error("cannot register realisation '%s' because it lacks a signature by a trusted key", info.outPath.to_string());
 }
 
 void LocalStore::registerDrvOutput(const Realisation & info)
@@ -1266,7 +1266,7 @@ void LocalStore::addToStore(const ValidPathInfo & info, Source & source,
     RepairFlag repair, CheckSigsFlag checkSigs)
 {
     if (checkSigs && pathInfoIsUntrusted(info))
-        throw Error("cannot add path '%s' because it lacks a trustworthy signature", printStorePath(info.path));
+        throw Error("cannot add path '%s' because it lacks a signature by a trusted key", printStorePath(info.path));
 
     addTempRoot(info.path);
 
diff --git a/src/nix/make-content-addressed.md b/src/nix/make-content-addressed.md
index b0685bb6c..32eecc880 100644
--- a/src/nix/make-content-addressed.md
+++ b/src/nix/make-content-addressed.md
@@ -22,7 +22,7 @@ R""(
 
   ```console
   # nix copy --to /tmp/nix --trusted-public-keys '' nixpkgs#hello
-  cannot add path '/nix/store/zy9wbxwcygrwnh8n2w9qbbcr6zk87m26-libunistring-0.9.10' because it lacks a trustworthy signature
+  cannot add path '/nix/store/zy9wbxwcygrwnh8n2w9qbbcr6zk87m26-libunistring-0.9.10' because it lacks a signature by a trusted key
   ```
 
 * Create a content-addressed representation of the current NixOS
diff --git a/src/nix/verify.cc b/src/nix/verify.cc
index 6dc539e24..1ddedd320 100644
--- a/src/nix/verify.cc
+++ b/src/nix/verify.cc
@@ -41,7 +41,7 @@ struct CmdVerify : StorePathsCommand
         addFlag({
             .longName = "sigs-needed",
             .shortName = 'n',
-            .description = "Require that each path has at least *n* trustworthy signatures.",
+            .description = "Require that each path has is signed by *n* different keys.",
             .labels = {"n"},
             .handler = {&sigsNeeded}
         });
diff --git a/tests/signing.sh b/tests/signing.sh
index 74f57966a..9b673c609 100644
--- a/tests/signing.sh
+++ b/tests/signing.sh
@@ -81,7 +81,7 @@ info=$(nix path-info --store file://$cacheDir --json $outPath2)
 [[ $info =~ 'cache1.example.org' ]]
 [[ $info =~ 'cache2.example.org' ]]
 
-# Copying to a diverted store should fail due to a lack of trustworthy signatures.
+# Copying to a diverted store should fail due to a lack of signatures by trusted keys.
 chmod -R u+w $TEST_ROOT/store0 || true
 rm -rf $TEST_ROOT/store0
 (! nix copy --to $TEST_ROOT/store0 $outPath)