Nix: Reproducible Package Management

[Manuthor]

The goal of this PR is to have a reproducible build:

• use Nix as a Reproducible Package Management and Build Systems
  What is Nix?
  Nix is a purely functional package manager and build system that guarantees reproducible, declarative, and reliable software builds. It's both a package manager (like apt, yum, or homebrew) and a complete build system.
• Make build offline
• Make sure at most Glibc 2.28 is supported - equivalent to RedHat 8 / Debian 10
• Build the RPM/DEB/DMG/NSIS packages and sign them with GPG key
• Split tests in parallel test system (for databases, Google CSE, HSM)
• Support HSM tests for Proteccio
• Refactor docker build

Closes #602

[Copilot]

Pull Request Overview

This PR introduces Nix as a reproducible package manager and build system to achieve deterministic, offline-capable builds with strict dependency pinning and GLIBC 2.28 compatibility (equivalent to RedHat 8 / Debian 10). The PR migrates from OpenSSL 3.2.0 to 3.1.2, establishes Nix-based packaging workflows, adds GPG package signing, splits tests into parallel subsystems, and refactors Docker builds.

Key changes:

• Nix package management with offline builds and deterministic binary hashes
• OpenSSL downgrade from 3.2.0 to 3.1.2 (FIPS-compatible)
• GPG package signing with automated verification
• Parallel test execution across databases, Google CSE, and HSM variants
• Unified packaging scripts for DEB/RPM/DMG with hash enforcement
• Docker image build refactor using pre-built Debian packages

Reviewed Changes

Copilot reviewed 84 out of 86 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
vcpkg_fips.json, vcpkg.json	Updated OpenSSL version from 3.2.0 to 3.1.2 and baseline hash
shell.nix	New Nix development environment with pinned dependencies and GLIBC 2.28 support
default.nix	Nix build entry point with Rust 1.90.0, OpenSSL 3.1.2, and cargo tools
nix/kms-server.nix	KMS server derivation with deterministic builds and hash enforcement
nix/openssl-3_1_2.nix	OpenSSL 3.1.2 FIPS build with offline tarball support
nix/scripts/*	Unified packaging scripts for DEB/RPM/DMG with GPG signing
nix/signing-keys/*	GPG signing infrastructure with key generation and verification
nix/expected-hashes/*	Platform-specific deterministic binary hashes for FIPS/non-FIPS
scripts/*.py	Changed f-string quotes from double to single throughout Python scripts
crate/server/build.rs	Added build-time OpenSSL 3.1.2 FIPS build support outside Nix
crate/server/Cargo.toml	Updated asset paths with XXX/YYY placeholders for Nix substitution
crate/server/src/main.rs	Removed unused debug import, changed debug! to info!
crate/server/src/core/kms/mod.rs	Refactored HSM instantiation with environment variable overrides
crate/hsm/*/src/tests.rs	Updated HSM test configurations for environment variable overrides
crate/cli/src/tests/kms/shared/locate.rs	Added unique tags to prevent test interference
.github/workflows/*.yml	New CI workflows for packaging, Docker builds, and artifact distribution
.github/scripts/*.sh	New test scripts for parallel execution (sqlite, mysql, psql, redis, pykmip, hsm)
README.md, CONTRIBUTING.md, SECURITY.md	Updated documentation for Nix builds and OpenSSL 3.1.2
Dockerfile	Refactored to use pre-built Debian packages