Troubleshooting
Symptoms you are likely to hit, what causes them, and what to do about them.
401 Unauthorized or 403 Forbidden when pushing
The registry accepted the connection but refused the write. Almost always the credential, not the code.
Check, in order:
- Scope. A GitHub PAT needs
write:packagesto push toghcr.io. Read-only tokens authenticate fine and then fail at the upload, which is why this looks like a bug rather than a permissions problem.aeroflare auth status - The right token is being found. Resolution order is flags, then environment
(
AEROFLARE_GITHUB_TOKEN,GITHUB_TOKEN,GH_TOKEN), then the OS keychain. A staleGITHUB_TOKENin your shell silently wins over the good one in your keychain. - Package ownership. The first push creates the package under the user or org that owns the token. If the package already exists and is owned by an org with restricted package creation, the push is refused no matter how well-scoped the token is.
In CI, pass the credential as a password, not a bearer token — the registry performs the exchange itself. See Authentication.
The build succeeds but nothing is pushed
aeroflare run learns which store paths to upload by reading the paths that the
wrapped command prints. If the command prints nothing, there is nothing to push,
and run exits successfully having done nothing.
Add --print-out-paths:
aeroflare run -- nix build .#default --print-out-paths
This is the single most common surprise with run. If a build seems to cache
nothing at all, check this before anything else.
Nix downloads the NAR, then refuses the path
You will see something like signature is not valid or cannot add path ... it is not signed by a trusted key.
Nix fetched your artifact and then rejected it, because your cache's public key is not in its trust list. The cache is working; the client does not trust it.
Add the key to nix.conf (/etc/nix/nix.conf, or ~/.config/nix/nix.conf):
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= my-cache:AbCd...=
Keep cache.nixos.org-1 in the list — it is space-separated and replacing it
will break upstream substitution.
See Signing Keys for how to produce and publish the key.
Nix ignores the substituter entirely
The build runs from source as if Aeroflare were not there, and no request ever reaches the proxy.
The Nix daemon discards extra-substituters supplied by a user who is not
trusted. Add yourself to trusted-users in /etc/nix/nix.conf:
trusted-users = root your-username
Then restart the daemon (sudo systemctl restart nix-daemon, or on macOS
sudo launchctl kickstart -k system/org.nixos.nix-daemon). Until the daemon is
restarted, the setting has no effect — which makes this look as if the fix did
not work.
nix run github:ItzEmoji/aeroflare runs an old version
Flake references are cached. To force a re-resolve:
nix run github:ItzEmoji/aeroflare --refresh -- version
Or pin an explicit revision. Check what you are actually running with
aeroflare version.
Seeing what the proxy is doing
-v logs at the package level; -vv logs every outgoing HTTP request to the
registry, which is what you want when diagnosing a lookup that returns nothing:
aeroflare proxy -vv
A 404 on a manifest fetch means the store hash is genuinely not in the cache —
the proxy will fall through to the upstream cache, which is working as intended.