Add support for signing store paths using ML-DSA-65

[edolstra]

Motivation

ML-DSA-65 is a post-quantum cryptography signature scheme.

To use, just call nix key generate-secret with --key-type ml-dsa-65, otherwise it works the same as ed25519 (libsodium) signatures except that it produces much bigger keys/signatures.

Context

Summary by CodeRabbit

• New Features

  • Added support for MLDSA-65 cryptographic algorithm alongside Ed25519 for key generation and signing operations.
  • Introduced --key-type CLI flag to specify key algorithm (ed25519 or ml-dsa-65) when generating secret keys.
  • Enhanced nix key generate-secret command workflow with explicit key type specification.

• Chores

  • Refactored internal utility infrastructure and expanded test coverage for multiple key algorithms.

[coderabbitai]

Caution

Review failed

Failed to post review comments

📝 Walkthrough

Walkthrough

This PR refactors deleter utilities into a shared library location and introduces multi-algorithm cryptographic key support by adding a KeyType system to enable Ed25519 and MLDSA-65 key generation, signing, and verification.

Changes

Deleter Utility Refactoring

Layer / File(s)	Summary
Utility Definition src/libutil/include/nix/util/deleter.hh	New generic Deleter template that invokes a provided deleter function on a pointer via operator().
Build Integration src/libutil/include/nix/util/meson.build	Expose deleter.hh as a public header.
Type Updates src/libutil/include/nix/util/file-system.hh	Replace custom DIRDeleter struct with templated Deleter<closedir> in AutoCloseDir typedef and add include for deleter utility.
Include Updates src/libfetchers/git-lfs-fetch.cc, src/libfetchers/git-utils.cc	Add includes for the shared deleter utility.
Cleanup src/libfetchers/include/nix/fetchers/git-utils.hh	Remove the local Deleter template definition (now in shared utility).

Key Type System & MLDSA-65 Support

Layer / File(s)	Summary
Data Shape Changes src/libutil/include/nix/util/signature/local-keys.hh	Add KeyType enum with Ed25519 and MLDSA65 values, parseKeyType() helper, and update Key, SecretKey, and PublicKey constructors to accept and track the key type.
Core Implementation src/libutil/signature/local-keys.cc	Implement MLDSA-65 key parsing (DER OID detection), deterministic signing via OpenSSL EVP, key generation with DER encoding, and multi-algorithm verification in verifyDetachedAnon switch statement. Add public parseKeyType() function.
Consumer Wiring src/nix/nix-store/nix-store.cc, src/nix/sigs.cc	Explicitly specify Ed25519 key type in opGenerateBinaryCacheKey; add --key-type CLI flag in CmdKeyGenerateSecret and wire it to SecretKey::generate().
Tests tests/functional/signing.sh	Migrate key generation flow from direct binary cache key creation to nix key generate-secret with public key extraction; add test runs for ed25519 and ml-dsa-65 key types.

Sequence Diagram(s)

sequenceDiagram
    participant User as User/CLI
    participant Sigs as nix/sigs.cc
    participant KeyLib as local-keys.cc
    participant OpenSSL as OpenSSL (EVP)
    participant FileIO as File Storage

    User->>Sigs: Run key generation with --key-type
    Sigs->>Sigs: Parse key type string
    Sigs->>KeyLib: SecretKey::generate(name, KeyType::MLDSA65)
    
    alt MLDSA-65
        KeyLib->>OpenSSL: EVP_PKEY_CTX_new_id(NID_MLDSA65)
        OpenSSL-->>KeyLib: EVP context
        KeyLib->>OpenSSL: EVP_PKEY_keygen() + DER encode
        OpenSSL-->>KeyLib: Encoded MLDSA-65 key
    else Ed25519
        KeyLib->>KeyLib: Generate Ed25519 key bytes
    end
    
    KeyLib-->>Sigs: SecretKey with type
    Sigs->>FileIO: Write secret key (with type metadata)
    Sigs-->>User: Key generation complete

    User->>KeyLib: Sign with SecretKey
    alt MLDSA-65
        KeyLib->>OpenSSL: EVP_DigestSignInit with MLDSA-65
        KeyLib->>OpenSSL: EVP_DigestSignFinal
        OpenSSL-->>KeyLib: Deterministic signature
    else Ed25519
        KeyLib->>KeyLib: Native Ed25519 signing
    end
    KeyLib-->>User: Signed message

    User->>KeyLib: Verify signature
    KeyLib->>KeyLib: Detect key type from encoding
    alt MLDSA-65
        KeyLib->>OpenSSL: EVP_DigestVerifyInit
        KeyLib->>OpenSSL: EVP_DigestVerifyFinal
        OpenSSL-->>KeyLib: Verification result
    else Ed25519
        KeyLib->>KeyLib: Native Ed25519 verification
    end
    KeyLib-->>User: Verification complete

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

---

🐰 A deleter hops to shared land with glee,
While keys multiply in harmony—
Ed25519 joins MLDSA's song,
From cryptic types the strength grows strong,
Signatures dance through OpenSSL's gate! ✨🔐

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 15.38% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding ML-DSA-65 support for signing store paths, which is the primary objective of the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch eelcodolstra/nix-373

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 Microsoft Presidio Analyzer (2.2.362)

src/libfetchers/git-lfs-fetch.cc

Microsoft Presidio Analyzer failed to scan this file

src/libfetchers/git-utils.cc

Microsoft Presidio Analyzer failed to scan this file

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🚀 Deployed on https://69fb54e4ee4c5519c15b95b9--determinate-nix.netlify.app