Automatically generate and use a signing key

[lisanna-dettwyler]

Sets the default value of secret-key-files to /nix/var/nix/keys/secret-key, and automatically generates this keypair if it doesn't exist. The effect of this is that locally built paths are always signed, making it easier to trace where builds come from and to establish trust. The corresponding public key is stored at /nix/var/nix/public-keys/public-key.

Closes #3023

Motivation

In addition to enabling tracing of what machine built what store path, this makes a future --target-store flag more usable, because you can obtain and add the automatically-generated public key of the remote store rather than having to manually generate and configure a new key.

Context

#3023

---

Add 👍 to pull requests you find important.

The Nix maintainer team uses a GitHub project board to schedule and track reviews.

[Ericson2314]

I think this should be done on the remote side. Singing builds that a different machine may have performed by default is a bit dangerous. But if the logic is moved to the local build code path, then it is safe.

[lisanna-dettwyler]

I think this should be done on the remote side. Singing builds that a different machine may have performed by default is a bit dangerous. But if the logic is moved to the local build code path, then it is safe.

@Ericson2314 isn't that where I have it? LocalStore inherits Store::buildPathsWithResults (what this PR touches), but SSHStore inherits RemoteStore::buildPathsWithResults (which this PR doesn't touch).

[lisanna-dettwyler]

Oh, I'm silly, there's already logic to sign paths with the contents of secret-key-files. This should end up being a much simpler change.

[xokdvium]

Tbh I'm not sure having the default be in /etc is a great idea. At the very least is should be in an unlistable directory, but it's certainly a policy question...