Allow Hydra's binary cache to be signed

This requires adding the following to hydra.conf:

  binary_cache_key_name = <key-name>
  binary_cache_private_key_file = <path-to-private-key>

e.g.

  binary_cache_key_name = hydra.nixos.org-1
  binary_cache_private_key_file = /home/hydra/cache-key.sec

src/lib/Hydra/View/NARInfo.pm

@@ -4,6 +4,7 @@ use strict;
 use base qw/Catalyst::View/;
 use File::Basename;
 use Nix::Store;
+use Nix::Crypto;
 
 sub process {
     my ($self, $c) = @_;
@@ -29,6 +30,15 @@ sub process {
         }
     }
 
+    # Optionally, sign the NAR info file we just created.
+    my $privateKeyFile = $c->config->{binary_cache_private_key_file};
+    my $keyName = $c->config->{binary_cache_key_name};
+
+    if (defined $privateKeyFile && defined $keyName) {
+        my $sig = signString($privateKeyFile, $info);
+        $info .= "Signature: 1;$keyName;$sig\n";
+    }
+
     $c->response->body($info);
 
     return 1;