--- a/cmds/fleet/src/cmds/build_systems.rs
+++ b/cmds/fleet/src/cmds/build_systems.rs
@@ -191,6 +191,7 @@
 	// TODO: If rollback target exists - bail, it should be removed. Lockfile will not work in case if rollback
 	// is scheduler on next boot (default behavior). On current boot - rollback activator will fail due to
 	// unit name conflict in systemd-run
+	// This code is tied to rollback.nix
 	if !build.disable_rollback {
 		let _span = info_span!("preparing").entered();
 		info!("preparing for rollback");
@@ -334,6 +335,19 @@
 			Action::Upload { action } => {
 				if !config.is_local(&host) {
 					info!("uploading system closure");
+					{
+						let mut sign = MyCommand::new("sudo");
+						// Private key for host machine is registered in nix-sign.nix
+						sign.arg("nix")
+							.arg("store")
+							.arg("sign")
+							.comparg("-k", "/etc/nix/private-key")
+							.arg("-r")
+							.arg(&built);
+						if let Err(e) = sign.run_nix().await {
+							warn!("Failed to sign store paths: {e}");
+						};
+					}
 					let mut tries = 0;
 					loop {
 						let mut nix = MyCommand::new("nix");
--- a/cmds/fleet/src/command.rs
+++ b/cmds/fleet/src/command.rs
@@ -269,7 +269,7 @@
 								drv = pkg;
 							}
 						}
-						info!(target: "nix","copying {} {} -> {}", drv, from, to);
+						// info!(target: "nix","copying {} {} -> {}", drv, from, to);
 						let span = info_span!("copy", from, to, drv);
 						span.pb_start();
 						self.spans.insert(id, span);
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -3,4 +3,5 @@
   ../meta.nix
   ../secrets.nix
   ../rollback.nix
+  ../nix-sign.nix
 ]
--- /dev/null
+++ b/nixos/nix-sign.nix
@@ -0,0 +1,14 @@
+# Required for nix copy in build_systems.rs
+{config, ...}: {
+  # https://github.com/NixOS/nix/issues/3023
+  systemd.services.generate-nix-cache-key = {
+    wantedBy = ["multi-user.target"];
+    serviceConfig.Type = "oneshot";
+    path = [config.nix.package];
+    script = ''
+      [[ -f /etc/nix/private-key ]] && exit
+      nix-store --generate-binary-cache-key ${config.networking.hostName}-1 /etc/nix/private-key /etc/nix/public-key
+    '';
+  };
+  nix.settings.secret-key-files = "/etc/nix/private-key";
+}
--- a/nixos/rollback.nix
+++ b/nixos/rollback.nix
@@ -1,3 +1,4 @@
+# Tied to build_systems.rs
 {config, ...}: {
   # TODO: Make it work with systemd-initrd approach.
   # In this case we can't just switch generation and re-run activation script, since the root filesystem might not be
--- /dev/null
+++ b/scripts/install-trusted-cert.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+set -eu
+
+pubkey="$(sudo cat /etc/nix/private-key | nix key convert-secret-to-public)"
+echo pubkey = "$pubkey"
+
+edited_conf=$(mktemp)
+
+remote_conf=$(ssh "$1" cat /etc/nix/nix.conf)
+echo remote_conf = \"\"\"
+echo "$remote_conf"
+echo \"\"\"
+echo "$remote_conf" > "$edited_conf"
+sed -i 's/\.  Do not edit it!/\. Then it was altered by install-trusted-cert. Do not edit!/g' "$edited_conf"
+sed -i "s|^trusted-public-keys =.*|& $pubkey|g" "$edited_conf"
+
+echo edited_conf = \"\"\"
+cat "$edited_conf"
+echo \"\"\"
+
+# Make nix.conf editable
+ssh "$1" sudo mv /etc/nix/nix.conf /etc/nix/nix.conf.bk
+ssh "$1" sudo cp /etc/nix/nix.conf.bk /etc/nix/nix.conf
+ssh "$1" "cat | sudo dd of=/etc/nix/nix.conf" < "$edited_conf"
+ssh "$1" sudo systemctl restart nix-daemon