5 files changed, 55 insertions, 11 deletions

diff --git a/src/build-remote/build-remote.cc b/src/build-remote/build-remote.cc
index 8348d8c91..402754c3c 100644
--- a/src/build-remote/build-remote.cc
+++ b/src/build-remote/build-remote.cc
@@ -247,6 +247,9 @@ static int main_build_remote(int argc, char * * argv)
 connected:
         close(5);
 
+        assert(sshStore);
+        auto sshStore2 = ref<Store>(sshStore);
+
         std::cerr << "# accept\n" << storeUri << "\n";
 
         auto inputs = readStrings<PathSet>(source);
@@ -269,18 +272,23 @@ connected:
 
         {
             Activity act(*logger, lvlTalkative, actUnknown, fmt("copying dependencies to '%s'", storeUri));
-            copyPaths(store, ref<Store>(sshStore), store->parseStorePathSet(inputs), NoRepair, NoCheckSigs, substitute);
+            copyPaths(store, sshStore2, store->parseStorePathSet(inputs), NoRepair, NoCheckSigs, substitute);
         }
 
         uploadLock = -1;
 
-        auto drv = store->readDerivation(*drvPath);
-        drv.inputSrcs = store->parseStorePathSet(inputs);
+        BasicDerivation drv = store->readDerivation(*drvPath);
 
-        auto result = sshStore->buildDerivation(*drvPath, drv);
+        if (sshStore2->isTrusting || derivationIsCA(drv.type())) {
+            drv.inputSrcs = store->parseStorePathSet(inputs);
+            auto result = sshStore2->buildDerivation(*drvPath, drv);
+            if (!result.success())
+                throw Error("build of '%s' on '%s' failed: %s", store->printStorePath(*drvPath), storeUri, result.errorMsg);
+        } else {
+            copyPaths(store, sshStore2, {*drvPath}, NoRepair, NoCheckSigs, substitute);
+            sshStore2->buildPaths({{*drvPath}});
+        }
 
-        if (!result.success())
-            throw Error("build of '%s' on '%s' failed: %s", store->printStorePath(*drvPath), storeUri, result.errorMsg);
 
         StorePathSet missing;
         for (auto & path : outputs)
@@ -290,7 +298,7 @@ connected:
             Activity act(*logger, lvlTalkative, actUnknown, fmt("copying outputs from '%s'", storeUri));
             for (auto & i : missing)
                 store->locksHeld.insert(store->printStorePath(i)); /* FIXME: ugly */
-            copyPaths(ref<Store>(sshStore), store, missing, NoRepair, NoCheckSigs, NoSubstitute);
+            copyPaths(sshStore2, store, missing, NoRepair, NoCheckSigs, NoSubstitute);
         }
 
         return 0;
diff --git a/src/libstore/daemon.cc b/src/libstore/daemon.cc
index ba5788b64..894081fa8 100644
--- a/src/libstore/daemon.cc
+++ b/src/libstore/daemon.cc
@@ -960,6 +960,8 @@ void processConnection(
 
             opCount++;
 
+            debug("performing daemon worker op: %d", op);
+
             try {
                 performOp(tunnelLogger, store, trusted, recursive, clientVersion, from, to, op);
             } catch (Error & e) {
diff --git a/src/libstore/store-api.cc b/src/libstore/store-api.cc
index 2cd39ab11..9d10ae76f 100644
--- a/src/libstore/store-api.cc
+++ b/src/libstore/store-api.cc
@@ -893,7 +893,24 @@ std::map<StorePath, StorePath> copyPaths(ref<Store> srcStore, ref<Store> dstStor
                 MaintainCount<decltype(nrRunning)> mc(nrRunning);
                 showProgress();
                 try {
-                    copyStorePath(srcStore, dstStore, storePath, repair, checkSigs);
+                    if (dstStore->isTrusting || info->ca) {
+                        copyStorePath(srcStore, dstStore, storePath, repair, checkSigs);
+                    } else if (info->deriver && dstStore->storeDir == srcStore->storeDir) {
+                        auto drvPath = *info->deriver;
+                        auto outputMap = srcStore->queryDerivationOutputMap(drvPath);
+                        auto p = std::find_if(outputMap.begin(), outputMap.end(), [&](auto & i) {
+                            return i.second == storePath;
+                        });
+                        // drv file is always CA
+                        srcStore->ensurePath(drvPath);
+                        copyStorePath(srcStore, dstStore, drvPath, repair, checkSigs);
+                        dstStore->buildPaths({{
+                            drvPath,
+                            p != outputMap.end() ? StringSet { p->first } : StringSet {},
+                        }});
+                    } else {
+                        dstStore->ensurePath(storePath);
+                    }
                 } catch (Error &e) {
                     nrFailed++;
                     if (!settings.keepGoing)
diff --git a/src/libstore/store-api.hh b/src/libstore/store-api.hh
index ce95b78b1..2b4672748 100644
--- a/src/libstore/store-api.hh
+++ b/src/libstore/store-api.hh
@@ -205,7 +205,9 @@ struct StoreConfig : public Config
 
     const Setting<int> pathInfoCacheSize{this, 65536, "path-info-cache-size", "size of the in-memory store path information cache"};
 
-    const Setting<bool> isTrusted{this, false, "trusted", "whether paths from this store can be used as substitutes even when they lack trusted signatures"};
+    const Setting<bool> isTrusted{this, false, "trusted", "whether paths from this store can be used as substitutes even when they lack trusted signatures. Compare \"trusting\""};
+
+    Setting<bool> isTrusting{this, true, "trusting", "whether (we think) paths can be added to this store even when they lack trusted signatures. Compare \"trusted\""};
 
     Setting<int> priority{this, 0, "priority", "priority of this substituter (lower value means higher priority)"};
 
diff --git a/src/nix-daemon/nix-daemon.cc b/src/nix-daemon/nix-daemon.cc
index fc6195cf0..bd016bb0c 100644
--- a/src/nix-daemon/nix-daemon.cc
+++ b/src/nix-daemon/nix-daemon.cc
@@ -269,6 +269,7 @@ static int main_nix_daemon(int argc, char * * argv)
 {
     {
         auto stdio = false;
+        std::optional<TrustedFlag> isTrustedOpt;
 
         parseCmdLine(argc, argv, [&](Strings::iterator & arg, const Strings::iterator & end) {
             if (*arg == "--daemon")
@@ -279,14 +280,26 @@ static int main_nix_daemon(int argc, char * * argv)
                 printVersion("nix-daemon");
             else if (*arg == "--stdio")
                 stdio = true;
-            else return false;
+            else if (*arg == "--trust") {
+                settings.requireExperimentalFeature("nix-testing");
+                isTrustedOpt = Trusted;
+            } else if (*arg == "--no-trust") {
+                settings.requireExperimentalFeature("nix-testing");
+                isTrustedOpt = NotTrusted;
+            } else return false;
             return true;
         });
 
         initPlugins();
 
+        auto ensureNoTrustedFlag = [&]() {
+            if (isTrustedOpt)
+                throw Error("--trust and --no-trust flags are only for use with --stdio when this nix-daemon process is not proxying another");
+        };
+
         if (stdio) {
             if (auto store = openUncachedStore().dynamic_pointer_cast<RemoteStore>()) {
+                ensureNoTrustedFlag();
                 auto conn = store->openConnectionWrapper();
                 int from = conn->from.fd;
                 int to = conn->to.fd;
@@ -320,9 +333,11 @@ static int main_nix_daemon(int argc, char * * argv)
                 /* Auth hook is empty because in this mode we blindly trust the
                    standard streams. Limitting access to thoses is explicitly
                    not `nix-daemon`'s responsibility. */
-                processConnection(openUncachedStore(), from, to, Trusted, NotRecursive, [&](Store & _){});
+                auto isTrusted = isTrustedOpt.value_or(Trusted);
+                processConnection(openUncachedStore(), from, to, isTrusted, NotRecursive, [&](Store & _){});
             }
         } else {
+            ensureNoTrustedFlag();
             daemonLoop(argv);
         }