iron-seal/README.md

# Iron seal

This is a daemon for re-signing narinfo files from a binary cache. The idea of
this is that we can decouple high value private keys that are hard to rotate
from the data plane of the build infrastructure running untrusted code,
allowing *much* lower value ephemeral private keys to be used on the builders.

## Worldview

Iron Seal believes that narinfo files should not be stored in s3 to begin with
since they are tiny text files full of valuable metadata that really ought to
be queryable, so they belong in a database.

For the initial prototype, narinfos are to be fetched from s3 on-demand and
loaded into the database, in order to allow integration with existing Lix
systems. This is somewhat silly because it means that we have garbage narinfos
that will never be looked at again in s3, but it does mean that iron-seal is
not critical to the future value of the s3 cache.

narinfos are then serialized on-demand out of the database, with new signatures
added as-required on the fly based on signature rules. Currently this is
assumed to be that all in-date owned keys should sign a path if it was
previously validly signed by a builder or owned key.

### Remaining questions

- Can a store path be built multiple times?
    - What does this mean for the narinfo? How is that cache invalidated if we
      do do such a silly thing?

### Schema

#### What's in a narinfo?

- StorePath: /nix/store/(hash, name)
- Compression: enum of some limited set of values
- URL: nar/FileHash.nar.zst (redundant)
- FileSize: int
- FileHash: (type, nixbase32(digest))
- NarSize: int
- NarHash: (type, nixbase32(digest))
- CA: hashtype + hash + type
    - text:hashtype:hash
    - fixed:r:hashtype:hash
    - fixed:hashtype:hash
    - hashtype:hash, but it seems to be for legacy stuff only and the code to
      make them is Gone???
    - This should be redundant: there are three cases: text, fixed recursive,
      fixed, and the hash is always sha256 in practice
- References[]: store path names

  Is it better to denormalize the names or reference ids? Chose to normalize
  harder and natural-key the hashes. Then we can enforce there is only one
  instance of a name for a given store path. 20 bytes is a kind of silly key
  type, but it's not really worse than a 16 byte uuid lol.
- Sig[]: keyname:base64(sig)

Observations:
- We can compress the living daylights out of this by simply not base64ing
  anything and storing binary as binary, as well as removing strings
- Storing references as IDs in a join table would knock even more bytes off of it
- URL is completely redundant
- StorePath is sorta redundant but -> need to be able to lookup by hash
    - Split out name


```
~ » curl --compressed https://cache.lix.systems/0018nm26ljlp20g9m22bj55ql9kz3klz.narinfo
StorePath: /nix/store/0018nm26ljlp20g9m22bj55ql9kz3klz-apple-framework-CoreFoundation-11.0.0.drv
URL: nar/1zp24fp4cf01066mrj7dhdmp6zizcahp32xglpw1sg4473bxv0x6.nar.zst
Compression: zstd
FileHash: sha256:1zp24fp4cf01066mrj7dhdmp6zizcahp32xglpw1sg4473bxv0x6
FileSize: 1429
NarHash: sha256:135jwl0vl96mx9294ylb1b6y8rlw4bnhyx8zn7pdmsp5md7p5wfm
NarSize: 3776
References: 5iqpm377dcnzaj0bjip0alh6shvjrfpc-cf-setup-hook.sh 6ag32dimxbc019zm5nx09v40wl1w0ysv-bootstrap-tools.drv a045scfay8yb7xxw36r3glxbx5v7cvyh-rewrite-tbd-unstable-2023-03-27.drv kpp0z1ia13ph5lkypdh5kfcmggj9agpy-bootstrap-stage1-stdenv-darwin.drv r7mhby3fppgh801xkidw9hg6y5wvdab8-libobjc-11.0.0.drv v6x3cs394jgqfbi0a42pam708flxaphh-default-builder.sh v9034cqc4h5bm10z4vz3n1q2n55grv5y-role.bash y171r47m5ryvqnwc5ld0drvq5klnbdcb-MacOSX-SDK-11.0.0.drv
Sig: cache.lix.systems:RwRtAxn0kO0zTa3ESZDI6g8K0F/fhbENKv6K8Yh3+imzBSqtXwjbpRRBnD38caSjaVpa8ws212ZQQelhLdiZAA==
CA: text:sha256:0s9difwgh59k43qlvkqvcwr0jm3qq2yd2zgwmy2gvxjqmjw4hk91

~ » curl --compressed https://cache.lix.systems/rwakndmpj9dbr1sh2271g47l7d2fl1zf.narinfo
StorePath: /nix/store/rwakndmpj9dbr1sh2271g47l7d2fl1zf-source
URL: nar/127d2kh80xhlpv14810zb8d9wgxqv125hpy4b1mmnihlj45y861z.nar.zst
Compression: zstd
FileHash: sha256:127d2kh80xhlpv14810zb8d9wgxqv125hpy4b1mmnihlj45y861z
FileSize: 1336187
NarHash: sha256:0b03rwv7kawsqj3grdjs4dyip02l31x4hll6rbgyx7gvsgn4r2mi
NarSize: 5294376
References:
Sig: cache.lix.systems:z6sKt0+CMPfOvyyPyAmfisQFH89+gIlLKGT+W5caN46zkPKzQg40T9KUw+ppqB/Gfkhoz4UcRVHzE2VSbbqyBQ==
CA: fixed:r:sha256:0b03rwv7kawsqj3grdjs4dyip02l31x4hll6rbgyx7gvsgn4r2mi

~ » curl --compressed https://cache.lix.systems/v9034cqc4h5bm10z4vz3n1q2n55grv5y.narinfo
StorePath: /nix/store/v9034cqc4h5bm10z4vz3n1q2n55grv5y-role.bash
URL: nar/0k78kc5xs5kvnz119hrqc8k0lzpv094jzrs7j6i386hl50bw1051.nar.xz
Compression: xz
FileHash: sha256:0k78kc5xs5kvnz119hrqc8k0lzpv094jzrs7j6i386hl50bw1051
FileSize: 916
NarHash: sha256:1wm870bpkip4d9xaa8rj2fiapnjz27xkgbycl47av7f64q98502s
NarSize: 2328
References:
Sig: cache.lix.systems:+9mf0JXUAuhEAEyGE7vfylI+byK1xYNOCrBQiIKDqRNZFNeh0UJC01oWddvoGm3TLmY8bSnVFNxDpBy2ajgaCw==
CA: fixed:r:sha256:1wm870bpkip4d9xaa8rj2fiapnjz27xkgbycl47av7f64q98502s
```

An output and its deriver:

Outputs don't have CA.

```
~ » curl --compressed https://cache.lix.systems/ws234x3s0in12ks97miwrrdnfx6iys7w.narinfo
StorePath: /nix/store/ws234x3s0in12ks97miwrrdnfx6iys7w-lix-2.91.0-debug
URL: nar/0767zlbsfp572ikqwv8k2kv0bvdr2kpr2xp3vl6843bhpn89srcf.nar.zst
Compression: zstd
FileHash: sha256:0767zlbsfp572ikqwv8k2kv0bvdr2kpr2xp3vl6843bhpn89srcf
FileSize: 149517914
NarHash: sha256:0nv4qv7yy82l2w3sgkfc6ax3s5mv5hffwgbjp45wji6vcpn48639
NarSize: 152916192
References:
Deriver: iz2nhchdh0dl96z591maai3f5hnl9jd9-lix-2.91.0.drv
Sig: cache.lix.systems:AxW+LHBGOFAqNhN5esqu/jNDASq9q4HQZ1uetf+8m9UC7uXNgfzTWMvWjNHzc2cbiLFN4Lv8wTxaGCW6CqSTAQ==

~ » curl --compressed https://cache.lix.systems/iz2nhchdh0dl96z591maai3f5hnl9jd9.narinfo
StorePath: /nix/store/iz2nhchdh0dl96z591maai3f5hnl9jd9-lix-2.91.0.drv
URL: nar/1zrhxs2md2ppharrdgm4pzf67n9ngvrd0k7swchvvqqnxs2zg0cn.nar.zst
Compression: zstd
FileHash: sha256:1zrhxs2md2ppharrdgm4pzf67n9ngvrd0k7swchvvqqnxs2zg0cn
FileSize: 3826
NarHash: sha256:152viw7i9iq9nql205i6xx1w1x3pz4pyd5k1l2rffnz8mws1skrf
NarSize: 8696
References: 02whz8bddsbc1fc3z4lp9r5d93gfi19b-jq-1.7.1.drv 09xdqf5vm3671iw83hq83ra55211zisl-gcc-13.2.0.drv 12l2v3kmacnpmx14p2345kk41fpv31rw-separate-debug-info.sh 1gk1c7x53fa5wqcqcwayagvblzinn8rx-openssl-3.0.14.drv 1h6y345b14l439y668mgfmhp7x611vsn-pkg-config-wrapper-0.29.2.drv 1z8izdpyzhd23nk2amhsyfkmphzajcc5-rapidcheck-0-unstable-2023-12-14.drv 24z6w1l9pfjixbp57q0vz98njvk53mdb-bzip2-1.0.8.drv 2q0p6sd6994k99x3cw6xvg9wlb9b2hym-sqlite-3.45.3.drv 377zz3y35n2aqzj39rxxvki5nw4jn32a-meson-1.4.1.drv 49wp9a3ldgyf8zr3875bpznr1vgb2cp9-mercurial-6.6.3.drv 5246sqmc35hxwxi905vz14wq9bg7ss13-util-linux-minimal-2.39.4.drv 5r7dangpzlqbh9qikfvcy2hkcr9dfn2i-libseccomp-2.5.5.drv 6fxk6xxg5r25glpychiwii4913wzkv0j-toml11-3.7.1.drv 7vgvm6maz2q40c5600ig0470hzmyvi2y-ninja-1.11.1.drv 8yb3slw042zr414dw6cnsjs7jz3b3d3d-mdbook-linkcheck-0.7.7.drv 98hyrmv2d8s133y0gfg7v4bz2g26lnzh-gtest-1.14.0.drv c89v384z3l833ykvjxc05y89jyqimpk2-cmake-3.29.2.drv cl2aa2ixggw275v1mfq9qxnna95pssvg-brotli-1.1.0.drv d58bmmhv8zzv18hf0mi57jgqj4fmnkgi-lowdown-1.1.0.drv dl3158bk4h8fahfgddvd5hjg4mnayddi-boost-1.81.0.drv fw3srq3319h1c3b10bi51sj68zhgl4wh-aws-sdk-cpp-1.11.318.drv g45hm2v7cjjsbm8z1hzma5ybbg2l9igw-editline-1.17.1.drv gvf4apg8zc1hg27409mb62fsvw5x1n0i-lsof-4.99.3.drv ibvns8id2frl8lg02gpyhvrav38dx1pm-pegtl-3.2.7.drv iwc1b7yk89rr37j546hgs6hfw9h2zfdc-busybox-static-aarch64-unknown-linux-musl-1.36.1.drv ix79ffj7sdnllcb06bry8ahqmjmh3hkh-git-2.44.1.drv iy52yascwcmgwm4q7x0vhgwig6g1q2qn-nlohmann_json-3.11.3.drv kfibsc08liqs0f3sm2wfha0qv0c0nfa3-libsodium-1.0.19.drv m7sjf5692xdv77rmp1mr947kvkr24zkf-python3-3.11.9.drv n8bzpa0g4zqlb1l463yr6gjwj9alb4lx-boehm-gc-8.2.6.drv nd47yjmilyhjkx77lvqg20izc9l7kvhs-mdbook-0.4.37.drv nnak6v9iccf7rsvw21wbwrqq2k8s780d-lix-doc.drv ridfqdfrv7hbrka1swxrnv3apgrvi2b6-bash-5.2p26.drv rwakndmpj9dbr1sh2271g47l7d2fl1zf-source rzb066q38jcjm223c07x6nlqibbgbq7i-libarchive-3.7.4.drv v6x3cs394jgqfbi0a42pam708flxaphh-default-builder.sh vpy0352yk1vl1l1dhmr4yhyhvcnig2xw-stdenv-linux.drv wcyypaafk1mzm47rwhbcmx481q43j4s4-xz-5.4.7.drv xp1bywj9afd809zmcyc5g9y66paxgqav-curl-8.7.1.drv
Sig: cache.lix.systems:yauNRyXEq2heiwJASbT14kDBnK0hrEMKQgDf1eb78e5m4xaQDun1ZcvMKRoa2K8JFuN+UjESH4h83Ndx4N8bDg==
CA: text:sha256:18gfki09lpdnqpxwdjdw8nmq1ryzyc0dhncgi5yvb9qvlphgyj3m
```
Sketching 2024-08-21 05:55:31 +00:00			`# Iron seal`

			`This is a daemon for re-signing narinfo files from a binary cache. The idea of`
			`this is that we can decouple high value private keys that are hard to rotate`
			`from the data plane of the build infrastructure running untrusted code,`
			`allowing much lower value ephemeral private keys to be used on the builders.`

			`## Worldview`

			`Iron Seal believes that narinfo files should not be stored in s3 to begin with`
			`since they are tiny text files full of valuable metadata that really ought to`
			`be queryable, so they belong in a database.`

			`For the initial prototype, narinfos are to be fetched from s3 on-demand and`
			`loaded into the database, in order to allow integration with existing Lix`
			`systems. This is somewhat silly because it means that we have garbage narinfos`
			`that will never be looked at again in s3, but it does mean that iron-seal is`
			`not critical to the future value of the s3 cache.`

			`narinfos are then serialized on-demand out of the database, with new signatures`
			`added as-required on the fly based on signature rules. Currently this is`
			`assumed to be that all in-date owned keys should sign a path if it was`
			`previously validly signed by a builder or owned key.`

			`### Remaining questions`

			`- Can a store path be built multiple times?`
			`- What does this mean for the narinfo? How is that cache invalidated if we`
			`do do such a silly thing?`

			`### Schema`

			`#### What's in a narinfo?`

			`- StorePath: /nix/store/(hash, name)`
			`- Compression: enum of some limited set of values`
			`- URL: nar/FileHash.nar.zst (redundant)`
			`- FileSize: int`
			`- FileHash: (type, nixbase32(digest))`
			`- NarSize: int`
			`- NarHash: (type, nixbase32(digest))`
			`- CA: hashtype + hash + type`
			`- text:hashtype:hash`
			`- fixed:r:hashtype:hash`
			`- fixed:hashtype:hash`
			`- hashtype:hash, but it seems to be for legacy stuff only and the code to`
			`make them is Gone???`
			`- This should be redundant: there are three cases: text, fixed recursive,`
			`fixed, and the hash is always sha256 in practice`
			`- References[]: store path names`

			`Is it better to denormalize the names or reference ids? Chose to normalize`
			`harder and natural-key the hashes. Then we can enforce there is only one`
			`instance of a name for a given store path. 20 bytes is a kind of silly key`
			`type, but it's not really worse than a 16 byte uuid lol.`
			`- Sig[]: keyname:base64(sig)`

			`Observations:`
			`- We can compress the living daylights out of this by simply not base64ing`
			`anything and storing binary as binary, as well as removing strings`
			`- Storing references as IDs in a join table would knock even more bytes off of it`
			`- URL is completely redundant`
			`- StorePath is sorta redundant but -> need to be able to lookup by hash`
			`- Split out name`


			```
			`~ » curl --compressed https://cache.lix.systems/0018nm26ljlp20g9m22bj55ql9kz3klz.narinfo`
			`StorePath: /nix/store/0018nm26ljlp20g9m22bj55ql9kz3klz-apple-framework-CoreFoundation-11.0.0.drv`
			`URL: nar/1zp24fp4cf01066mrj7dhdmp6zizcahp32xglpw1sg4473bxv0x6.nar.zst`
			`Compression: zstd`
			`FileHash: sha256:1zp24fp4cf01066mrj7dhdmp6zizcahp32xglpw1sg4473bxv0x6`
			`FileSize: 1429`
			`NarHash: sha256:135jwl0vl96mx9294ylb1b6y8rlw4bnhyx8zn7pdmsp5md7p5wfm`
			`NarSize: 3776`
			`References: 5iqpm377dcnzaj0bjip0alh6shvjrfpc-cf-setup-hook.sh 6ag32dimxbc019zm5nx09v40wl1w0ysv-bootstrap-tools.drv a045scfay8yb7xxw36r3glxbx5v7cvyh-rewrite-tbd-unstable-2023-03-27.drv kpp0z1ia13ph5lkypdh5kfcmggj9agpy-bootstrap-stage1-stdenv-darwin.drv r7mhby3fppgh801xkidw9hg6y5wvdab8-libobjc-11.0.0.drv v6x3cs394jgqfbi0a42pam708flxaphh-default-builder.sh v9034cqc4h5bm10z4vz3n1q2n55grv5y-role.bash y171r47m5ryvqnwc5ld0drvq5klnbdcb-MacOSX-SDK-11.0.0.drv`
			`Sig: cache.lix.systems:RwRtAxn0kO0zTa3ESZDI6g8K0F/fhbENKv6K8Yh3+imzBSqtXwjbpRRBnD38caSjaVpa8ws212ZQQelhLdiZAA==`
			`CA: text:sha256:0s9difwgh59k43qlvkqvcwr0jm3qq2yd2zgwmy2gvxjqmjw4hk91`

			`~ » curl --compressed https://cache.lix.systems/rwakndmpj9dbr1sh2271g47l7d2fl1zf.narinfo`
			`StorePath: /nix/store/rwakndmpj9dbr1sh2271g47l7d2fl1zf-source`
			`URL: nar/127d2kh80xhlpv14810zb8d9wgxqv125hpy4b1mmnihlj45y861z.nar.zst`
			`Compression: zstd`
			`FileHash: sha256:127d2kh80xhlpv14810zb8d9wgxqv125hpy4b1mmnihlj45y861z`
			`FileSize: 1336187`
			`NarHash: sha256:0b03rwv7kawsqj3grdjs4dyip02l31x4hll6rbgyx7gvsgn4r2mi`
			`NarSize: 5294376`
			`References:`
			`Sig: cache.lix.systems:z6sKt0+CMPfOvyyPyAmfisQFH89+gIlLKGT+W5caN46zkPKzQg40T9KUw+ppqB/Gfkhoz4UcRVHzE2VSbbqyBQ==`
			`CA: fixed:r:sha256:0b03rwv7kawsqj3grdjs4dyip02l31x4hll6rbgyx7gvsgn4r2mi`

			`~ » curl --compressed https://cache.lix.systems/v9034cqc4h5bm10z4vz3n1q2n55grv5y.narinfo`
			`StorePath: /nix/store/v9034cqc4h5bm10z4vz3n1q2n55grv5y-role.bash`
			`URL: nar/0k78kc5xs5kvnz119hrqc8k0lzpv094jzrs7j6i386hl50bw1051.nar.xz`
			`Compression: xz`
			`FileHash: sha256:0k78kc5xs5kvnz119hrqc8k0lzpv094jzrs7j6i386hl50bw1051`
			`FileSize: 916`
			`NarHash: sha256:1wm870bpkip4d9xaa8rj2fiapnjz27xkgbycl47av7f64q98502s`
			`NarSize: 2328`
			`References:`
			`Sig: cache.lix.systems:+9mf0JXUAuhEAEyGE7vfylI+byK1xYNOCrBQiIKDqRNZFNeh0UJC01oWddvoGm3TLmY8bSnVFNxDpBy2ajgaCw==`
			`CA: fixed:r:sha256:1wm870bpkip4d9xaa8rj2fiapnjz27xkgbycl47av7f64q98502s`
			```

			`An output and its deriver:`

			`Outputs don't have CA.`

			```
			`~ » curl --compressed https://cache.lix.systems/ws234x3s0in12ks97miwrrdnfx6iys7w.narinfo`
			`StorePath: /nix/store/ws234x3s0in12ks97miwrrdnfx6iys7w-lix-2.91.0-debug`
			`URL: nar/0767zlbsfp572ikqwv8k2kv0bvdr2kpr2xp3vl6843bhpn89srcf.nar.zst`
			`Compression: zstd`
			`FileHash: sha256:0767zlbsfp572ikqwv8k2kv0bvdr2kpr2xp3vl6843bhpn89srcf`
			`FileSize: 149517914`
			`NarHash: sha256:0nv4qv7yy82l2w3sgkfc6ax3s5mv5hffwgbjp45wji6vcpn48639`
			`NarSize: 152916192`
			`References:`
			`Deriver: iz2nhchdh0dl96z591maai3f5hnl9jd9-lix-2.91.0.drv`
			`Sig: cache.lix.systems:AxW+LHBGOFAqNhN5esqu/jNDASq9q4HQZ1uetf+8m9UC7uXNgfzTWMvWjNHzc2cbiLFN4Lv8wTxaGCW6CqSTAQ==`

			`~ » curl --compressed https://cache.lix.systems/iz2nhchdh0dl96z591maai3f5hnl9jd9.narinfo`
			`StorePath: /nix/store/iz2nhchdh0dl96z591maai3f5hnl9jd9-lix-2.91.0.drv`
			`URL: nar/1zrhxs2md2ppharrdgm4pzf67n9ngvrd0k7swchvvqqnxs2zg0cn.nar.zst`
			`Compression: zstd`
			`FileHash: sha256:1zrhxs2md2ppharrdgm4pzf67n9ngvrd0k7swchvvqqnxs2zg0cn`
			`FileSize: 3826`
			`NarHash: sha256:152viw7i9iq9nql205i6xx1w1x3pz4pyd5k1l2rffnz8mws1skrf`
			`NarSize: 8696`
			References: 02whz8bddsbc1fc3z4lp9r5d93gfi19b-jq-1.7.1.drv 09xdqf5vm3671iw83hq83ra55211zisl-gcc-13.2.0.drv 12l2v3kmacnpmx14p2345kk41fpv31rw-separate-debug-info.sh 1gk1c7x53fa5wqcqcwayagvblzinn8rx-openssl-3.0.14.drv 1h6y345b14l439y668mgfmhp7x611vsn-pkg-config-wrapper-0.29.2.drv 1z8izdpyzhd23nk2amhsyfkmphzajcc5-rapidcheck-0-unstable-2023-12-14.drv 24z6w1l9pfjixbp57q0vz98njvk53mdb-bzip2-1.0.8.drv 2q0p6sd6994k99x3cw6xvg9wlb9b2hym-sqlite-3.45.3.drv 377zz3y35n2aqzj39rxxvki5nw4jn32a-meson-1.4.1.drv 49wp9a3ldgyf8zr3875bpznr1vgb2cp9-mercurial-6.6.3.drv 5246sqmc35hxwxi905vz14wq9bg7ss13-util-linux-minimal-2.39.4.drv 5r7dangpzlqbh9qikfvcy2hkcr9dfn2i-libseccomp-2.5.5.drv 6fxk6xxg5r25glpychiwii4913wzkv0j-toml11-3.7.1.drv 7vgvm6maz2q40c5600ig0470hzmyvi2y-ninja-1.11.1.drv 8yb3slw042zr414dw6cnsjs7jz3b3d3d-mdbook-linkcheck-0.7.7.drv 98hyrmv2d8s133y0gfg7v4bz2g26lnzh-gtest-1.14.0.drv c89v384z3l833ykvjxc05y89jyqimpk2-cmake-3.29.2.drv cl2aa2ixggw275v1mfq9qxnna95pssvg-brotli-1.1.0.drv d58bmmhv8zzv18hf0mi57jgqj4fmnkgi-lowdown-1.1.0.drv dl3158bk4h8fahfgddvd5hjg4mnayddi-boost-1.81.0.drv fw3srq3319h1c3b10bi51sj68zhgl4wh-aws-sdk-cpp-1.11.318.drv g45hm2v7cjjsbm8z1hzma5ybbg2l9igw-editline-1.17.1.drv gvf4apg8zc1hg27409mb62fsvw5x1n0i-lsof-4.99.3.drv ibvns8id2frl8lg02gpyhvrav38dx1pm-pegtl-3.2.7.drv iwc1b7yk89rr37j546hgs6hfw9h2zfdc-busybox-static-aarch64-unknown-linux-musl-1.36.1.drv ix79ffj7sdnllcb06bry8ahqmjmh3hkh-git-2.44.1.drv iy52yascwcmgwm4q7x0vhgwig6g1q2qn-nlohmann_json-3.11.3.drv kfibsc08liqs0f3sm2wfha0qv0c0nfa3-libsodium-1.0.19.drv m7sjf5692xdv77rmp1mr947kvkr24zkf-python3-3.11.9.drv n8bzpa0g4zqlb1l463yr6gjwj9alb4lx-boehm-gc-8.2.6.drv nd47yjmilyhjkx77lvqg20izc9l7kvhs-mdbook-0.4.37.drv nnak6v9iccf7rsvw21wbwrqq2k8s780d-lix-doc.drv ridfqdfrv7hbrka1swxrnv3apgrvi2b6-bash-5.2p26.drv rwakndmpj9dbr1sh2271g47l7d2fl1zf-source rzb066q38jcjm223c07x6nlqibbgbq7i-libarchive-3.7.4.drv v6x3cs394jgqfbi0a42pam708flxaphh-default-builder.sh vpy0352yk1vl1l1dhmr4yhyhvcnig2xw-stdenv-linux.drv wcyypaafk1mzm47rwhbcmx481q43j4s4-xz-5.4.7.drv xp1bywj9afd809zmcyc5g9y66paxgqav-curl-8.7.1.drv
			`Sig: cache.lix.systems:yauNRyXEq2heiwJASbT14kDBnK0hrEMKQgDf1eb78e5m4xaQDun1ZcvMKRoa2K8JFuN+UjESH4h83Ndx4N8bDg==`
			`CA: text:sha256:18gfki09lpdnqpxwdjdw8nmq1ryzyc0dhncgi5yvb9qvlphgyj3m`
			```