Changelog: Determinate Nix 3.21.0

We at Determinate Systems are greatly pleased to announce the release of Determinate Nix version 3.21.0, based on upstream Nix 2.34.6. It includes support for several CNSA algorithms, a new nix serve command for experimenting locally with Nix binary caches, a newly lazy fetchTarball function, support for Buildkite auth, and the usual round of bug fixes.

CNSA 1.0 and 2.0 signing algorithm support

Determinate Nix now supports a subset of Commercial National Security Algorithm (CNSA) 1.0 and 2.0 signature algorithms:

• ecdsa-p384
• ml-dsa-44
• ml-dsa-65
• ml-dsa-87

ML-DSA is a post-quantum cryptography signature scheme.

Support for these algorithms is currently gated behind the experimental cnsa feature, which you can enable in your custom Determinate Nix configuration:

extra-experimental-features = cnsa

When enabled, you can use these signatures by running nix key generate-secret and specifying the algorithm using the --key-type option. Here’s an example command:

nix key generate-secret \
  --key-type ml-dsa-87 \
  --key-name my-cache.example.org-1

Otherwise, everything works the same as the existing ed25519 (libsodium) signatures, except that they produce larger keys/signatures (especially ML-DSA).

We’ve also added these commands to Determinate Nix:

• nix key convert-public-to-pem
• nix key convert-secret-to-pem
• nix key convert-secret-to-public

These may be useful if you want to use the keys with the OpenSSL CLI.

nix serve command

Determinate Nix now offers a nix serve command that provides a built-in binary cache server, similar to the nix-serve tool. It’s mostly intended for testing and to serve as a reference implementation for Nix binary caches.

Lazy fetchTarball

The fetchTarball built-in function is now lazy, which can prevent unnecessary copying of source trees into the Nix store in some cases.

Buildkite authentication support

FlakeHub (and thus also FlakeHub Cache) now supports Buildkite as an authentication provider. This means that Buildkite workflows can now publish flake releases and push store paths to FlakeHub Cache using JSON Web Tokens (JWTs) issued by Buildkite’s Agents API.

For more on Determinate Systems and Buildkite, check out our guide to Determinate on Buildkite as well as our own Luc Perkins’ post on the Buildkite blog, Ephemeral macOS builds with Buildkite, Nix, and Tailscale.

Various bug fixes

As usual, version 3.21.0 includes a wide range of bug fixes and developer interface improvements.

How to get Determinate Nix

If you already have Determinate Nix installed, you can upgrade to 3.21.0 with one Determinate Nixd command:

sudo determinate-nixd upgrade

If you don’t yet have Determinate Nix installed, you can upgrade or migrate to Determinate Nix on macOS using our graphical installer:

Install Determinate Nix on macOS now 🍎

With support for Apple Silicon (aarch64-darwin)

On Linux:

curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | \
  sh -s -- install --determinate

On NixOS, we recommend using our dedicated NixOS module or our NixOS ISO (NixOS installer for x86_64, NixOS installer for ARM) with Determinate Nix pre-installed.

On GitHub Actions:

on:
  pull_request:
  workflow_dispatch:
  push:
    branches:
      - main

jobs:
  nix-ci:
    runs-on: ubuntu-latest
    # Include this block to log in to FlakeHub and access private flakes
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@v6
      - uses: DeterminateSystems/flake-checker-action@main
      - uses: DeterminateSystems/determinate-nix-action@v3
      - uses: DeterminateSystems/flakehub-cache-action@v3
      - run: nix flake check

In Amazon Web Services:

data "aws_ami" "detsys_nixos" {
  most_recent = true
  owners      = ["535002876703"] # Commercial
  # owners      = ["579351485434"] # GovCloud
  # owners      = ["129194717446"] # European Sovereign Cloud

  filter {
    name   = "name"
    values = ["determinate/nixos/epoch-1/*"]
  }

  filter {
    name   = "architecture"
    values = ["x86_64"]
  }
}