Hi, On 16/04/15 23:58, Vladimír Čunát wrote:
> For the state of signing NARs see discussion at > https://github.com/NixOS/nix/issues/75 I started signing new binaries in cache.nixos.org about 2 months ago. For example: > $ curl http://cache.nixos.org/17avgmlwqfcy8si4d195f8dkr7rlxf46.narinfo | grep > Sig > Sig: > cache.nixos.org-1:lp7+/SdKgObG+GHmgwmFT8xQHVZ+IuoRbpHzO6yVCk2m+X0bp4fF8fChRgpqPRlLtba6VRx67dd9UgyKS7xaDg== However, old binaries haven't been signed yet. Hydra.nixos.org produces signed binaries on the fly: > $ curl http://hydra.nixos.org/la5imi1602jxhpds9675n2n2d0683lbq.narinfo | grep > Sig > Sig: > hydra.nixos.org-1:FJabMP7BspE5TjdxUkHpAmiTa94x3gdZ1i/hP4gZi/3Z9nddgPUdceHLxs14mTySIgTsSXEq6fMTPvhUxuEIDQ== To verify signatures, you need a Nix 1.9 prerelease (1.8 already had experimental signature support, but I changed the format), and add this to nix.conf: signed-binary-caches = * binary-cache-public-keys = <one or more public keys> The public keys are: cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs= On NixOS-unstable, you can just set nix.requireSignedBinaryCaches = true; The public key for cache.nixos.org is included by default. You can add additional ones: nix.binaryCachePublicKeys = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ]; -- Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/ _______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
