Try enabling the trustix service in the subscriber?

[trustix-integration-tests] / checks / one-publisher.nix

diff --git a/checks/one-publisher.nix b/checks/one-publisher.nix
index 7ecec8fb125135fd7e512bd6b82202f15460bf3a..c24d3a991e720b47284d81fec09de0bb8e70b08e 100644 (file)
--- a/checks/one-publisher.nix
+++ b/checks/one-publisher.nix
@@ -51,6 +51,10 @@ let
     }
   '';
 
+  log-local-builds = writeShellScript "log-local-builds" ''
+    echo "$OUT_PATHS" >> /var/log/local-builds
+  '';
+
   clientConfig = writeText "clientConfig" ''
     { lib, ... }: {
       services.trustix-nix-cache = {
@@ -63,6 +67,7 @@ let
         binaryCachePublicKeys = lib.mkForce [ "clint://@binaryCachePubKey@" ];
       };
       services.trustix = {
+        enable = true;  # Fails with and without: https://github.com/tweak/trustix/issue/24
         subscribers = [{
           protocol = "nix";
           publicKey = {
@@ -76,7 +81,9 @@ let
           percentage.minimum = 66;
         };
       };
-
+      nix.extraOptions = '''
+        post-build-hook = ${log-local-builds}
+      ''';
     }
   '';
 
@@ -148,11 +155,27 @@ in nixosTest {
   };
   testScript = ''
     from os import getenv
+    from threading import Thread
 
     alisha.wait_for_file("/keys/trustix-pub")
     alisha.copy_from_vm("/keys/trustix-pub")
     clint.copy_from_host(getenv("out") + "/trustix-pub", "/keys/alisha-signing-pub")
 
+    clint.wait_for_file("/keys/cache-priv-key.pem")
+    clint_thread = Thread(
+        target=lambda: clint.succeed(
+            "${
+              mkConfig {
+                config = clientConfig;
+                trustixPubKeyPath = "/keys/alisha-signing-pub";
+                binaryCachePubKeyPath = "/keys/cache-priv-key.pem";
+              }
+            }",
+            "nixos-rebuild switch --show-trace",
+        )
+    )
+    clint_thread.start()
+
     alisha.succeed(
         "${
           mkConfig {
@@ -164,17 +187,8 @@ in nixosTest {
     )
     alisha.succeed("nix-build '<nixpkgs>' -A hello")
 
-    clint.wait_for_file("/keys/cache-priv-key.pem")
-    clint.succeed(
-        "${
-          mkConfig {
-            config = clientConfig;
-            trustixPubKeyPath = "/keys/alisha-signing-pub";
-            binaryCachePubKeyPath = "/keys/cache-priv-key.pem";
-          }
-        }",
-        "nixos-rebuild switch --show-trace",
-    )
+    clint_thread.join()
     clint.succeed("nix-build '<nixpkgs>' -A hello")
+    clint.fail("grep hello /var/log/local-builds")
   '';
 }