Current scheme: 1. Hydra notices a drv to build 2. Hydra sends the drv to builder B 3. B builds 4. The product of B's build gets copy-closure'd to Hydra 5. On a “main” server, nix signs the built derivations 6. Said main server pushes the built derivation to the cache TCB: steps 2, 3, 4, 5 (because from the time the derivation is picked by hydra to the time it's signed all the steps have to be secure) Breakage for unability to recover: main server being compromised Scope of damage if B temporarily compromised: all builds that were sent to it New scheme idea: 1. Hydra notices a drv to build 2. Hydra sends the drv to builder B 3. B builds and signs with builder-local key 4. B uploads the build to the cache 5. Hydra sends the drv to signer machine 6. Signer machine downloads the build from the cache, verifies signature of B, re-signs 7. Signer machine re-uploads the build with the new key TCB: steps 3 and 6 (because any step in-between is trustless) Breakage for unability to recover: signer machine being compromised Scope of damage if B temporarily compromised: all builds that were sent to it (assuming the signer machine verifies the signature of B and not only the signature of “any builder”)