[Nix-dev] Question on package signing and security?

Thomas Hunger tehunger at gmail.com
Mon Mar 28 15:15:00 CEST 2016


The manual has some info:

https://nixos.org/nix/manual/#operation-generate-binary-cache-key

It's a fairly straight forward private / public signing scheme.

There's an example on how to verify integrity in the manual as well:

https://nixos.org/nix/manual/#examples-23

~

On 28 March 2016 at 13:17, Matthias Beyer <mail at beyermatthias.de> wrote:

> Hi,
>
> How is package signing this done by nix and how does it work for
> nixpkgs/nixos?
> I'm searching for resources on this because of my bachelors thesis and I'm
> not
> quite sure nix already does signing and the like.
>
> So all the "big" package managers (apt, yum, pacman,...) do some gpg foo
> to sign
> packages. How does this work in a nix context? Do we sign packages? Does
> nix
> verify signatures? Do we sign expressions?
>
> Is there any literature out there? I'm starting reading Eelcos papers now,
> maybe
> I can find something in there...
>
> (The context I'm asking this in is for traceability and auditability, my
> thesis
> focuses on Agent based intrusion detection systems and how they do software
> installations.)
>
> --
> Mit freundlichen Grüßen,
> Kind regards,
> Matthias Beyer
>
> Proudly sent with mutt.
> Happily signed with gnupg.
>
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160328/71f63694/attachment.html 


More information about the nix-dev mailing list