`nix repair` does not adhere to `extra-trusted-substituters`

[roberth]

Describe the bug

nix repair, and probably other commands do not respect the trusted-substituters setting.
Instead, ?trusted=true must be passed.

This is surprising, and probably a bug.

Steps To Reproduce

There's probably an easier way to trigger this.

1. Choose or make an unimportant store path <path>
2. Back up a store path with nix copy --to ~/recoverstore <path>
3. Corrupt the original store path by mounting the system store file system rw and deleting it from the file system. Do not delete it from the store db; we want that entry to remain.
4. sudo nix store repair --extra-substituters ~/recoverstore --extra-trusted-substituters ~/recoverstore <path> (the latter option seems to have no effect; need ?trusted=true; different issue)

Observe a message like

warning: ignoring substitute for '/nix/store/nzb7spdhiy30ikv1crnk8dgl0svyjgw4-libunistring-1.2' from 'local', as it's not signed by any of the keys in 'trusted-public-keys'

Expected behavior

No message, and the substitution succeeds because either or both:

• the substituter is trusted by virtue of trusted-substituters

A valid signature from the original store db is used.
Note that we're not doing a normal substitution here. We may already have a signature, so if the substituter's contents match our metadata, we have all we need, and we should be able to proceed.

nix-env --version output

2.24.10

Additional context

• Found simultaneously with Relocated store URI is reported as 'local', wrong #11873

Priorities

Add 👍 to issues you find important.