[Nix-dev] Authenticating binary substitutes
Eelco Dolstra
eelco.dolstra at logicblox.com
Thu May 23 16:19:51 CEST 2013
Hi,
On 22/05/13 17:48, Ludovic Courtès wrote:
>> Also, rather than having a separate .sig file, the signature could be stored in
>> the narinfo file itself. That would halve the number of HTTP requests.
>
> Well, the .sig only needs to be downloaded when the user actually
> substitutes something; this is not a situation where it would really
> make a difference.
>
> Also, how would the signature be formatted, then?
Maybe adding a line like:
Signature: EcUemBbhdfRkA6hWXb8qCb...
which would be a base-64 encoding of the signature of the .narinfo up to that
point (as computed by "openssl pkeyutl -sign"), plus a fingerprint of the public
key to be used to check the signature.
--
Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/
More information about the nix-dev
mailing list