[Nix-dev] Authenticating binary substitutes
Lluís Batlle i Rossell
viric at viric.name
Wed May 22 21:19:20 CEST 2013
On Wed, May 22, 2013 at 02:25:38PM -0400, Eelco Dolstra wrote:
> On 22/05/13 11:12, Ludovic Courtès wrote:
> >
> > I was thinking of a simple extension to solve that:
> >
> > 1a. The /nix-cache-info file would contain an (optional)
> > ‘OpenPGPFingerprint’ field, to announce the fingerprint of the
> > OpenPGP key used to sign Nars.
> >
> > 1b. In addition to, or alternatively, a /nix-signing-key file would be
> > served, containing the OpenPGP key used to sign Nars.
> >
> > 2. In addition to serving, say,
> > /nar/zwpx7d0sv36fi4xpwqx2dak0axx5nji8-gmp-5.1.1, the server would
> > also serve /nar/zwpx7d0sv36fi4xpwqx2dak0axx5nji8-gmp-5.1.1.sig, an
> > OpenPGP binary signature of the uncompressed Nar.
>
> How about: rather than relying on nix-cache-info, nix.conf should specify a list
> of fingerprints of trusted OpenPGP signing keys. Then when we fetch a .narinfo,
> we check whether it is signed by a trusted key. This way you don't have the
> problem Lluís described.
Well, if we use gpg, gpg has its own system of trust, too. Or it's about not
using gpg?
Regards,
Lluís.
More information about the nix-dev
mailing list