[Nix-dev] Binary trust
Eelco Dolstra
eelco.dolstra at logicblox.com
Fri Apr 17 13:42:56 CEST 2015
Hi,
On 16/04/15 23:58, Vladimír Čunát wrote:
> For the state of signing NARs see discussion at
> https://github.com/NixOS/nix/issues/75
I started signing new binaries in cache.nixos.org about 2 months ago. For example:
> $ curl http://cache.nixos.org/17avgmlwqfcy8si4d195f8dkr7rlxf46.narinfo | grep Sig
> Sig: cache.nixos.org-1:lp7+/SdKgObG+GHmgwmFT8xQHVZ+IuoRbpHzO6yVCk2m+X0bp4fF8fChRgpqPRlLtba6VRx67dd9UgyKS7xaDg==
However, old binaries haven't been signed yet.
Hydra.nixos.org produces signed binaries on the fly:
> $ curl http://hydra.nixos.org/la5imi1602jxhpds9675n2n2d0683lbq.narinfo | grep Sig
> Sig: hydra.nixos.org-1:FJabMP7BspE5TjdxUkHpAmiTa94x3gdZ1i/hP4gZi/3Z9nddgPUdceHLxs14mTySIgTsSXEq6fMTPvhUxuEIDQ==
To verify signatures, you need a Nix 1.9 prerelease (1.8 already had
experimental signature support, but I changed the format), and add this to nix.conf:
signed-binary-caches = *
binary-cache-public-keys = <one or more public keys>
The public keys are:
cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=
On NixOS-unstable, you can just set
nix.requireSignedBinaryCaches = true;
The public key for cache.nixos.org is included by default. You can add
additional ones:
nix.binaryCachePublicKeys = [
"hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ];
--
Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/
More information about the nix-dev
mailing list