Some of you may know that a few months ago, the Spectrum binary cache builder broke, because a change to the TLS on github.com (where the builder downloaded NixOS netboot images from) meant that Vultr's iPXE was no longer able to connect to it, and Vultr told me they couldn't give a timeline on updating iPXE to include the fix[1]. In the time since then, I've been working on a new binary cache builder with no need for iPXE — more information in the commit message[2]. One of the nice things about the new design is that it allows for being a little bit more careful with the key — it's stored in Scaleway's Secret Manager[3] (which stores it encrypted), and it's never written to disk unencrypted by the builder. Given this slightly higher level of security for the key, it makes sense to transition to a new key that has never been stored outside of this arrangement. (I generated it from Tails.) So, if you have Nix configured to trust the old binary cache key, spectrum-os.org-1:rnnSumz3+Dbs5uewPlwZSTP0k3g/5SRG4hD7Wbr9YuQ=, you should replace that in your configuration with the new key, spectrum-os.org-2:foQk3r7t2VpRx92CaXb5ROyy/NBdRJQG2uX2XJMYZfU=. During the Tails session where I generated the new key, I also generated and uploaded signatures for all store paths in the binary cache that had a valid signature from the old key, so it's possible to distrust the old key without losing the ability to substitute old paths from the binary cache. In future, all store paths built by the builder will only be signed with the new key. I've updated the binary cache documentation to describe the new binary cache[4]. The rendered documentation on the website will update once the new builder has completed its first build. This is a small evolutionary step for builder security — I'd probably still want to do more before using it to build non-development images, for example having the key on an HSM rather than being on the builder's filesystem. [1]: https://github.com/ipxe/ipxe/commit/1d1cf74a5e58811822bee4b3da3cff7282fcdfca [2]: https://spectrum-os.org/git/infra/commit/?id=ef9717440ff4e000cb50009bb68ba3b... [3]: https://www.scaleway.com/en/secret-manager/ [4]: https://spectrum-os.org/git/spectrum/commit/?id=f5a75c9739d9ab23323734ccdfda...