Re: [Nix-dev] Question on package signing and security?
Simply said, the binary products are signed by the build farm but nothing else is. (commits, etc.) --Vladimir smime.p7s Description: S/MIME Cryptographic Signature ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Question on package signing and security?
There's also some discussion on the scope of signatures here: https://github.com/NixOS/nix/issues/613 On Mon, Mar 28, 2016 at 9:15 AM, Thomas Hunger wrote: > The manual has some info: > > https://nixos.org/nix/manual/#operation-generate-binary-cache-key > > It's a fairly straight forward private / public signing scheme. > > There's an example on how to verify integrity in the manual as well: > > https://nixos.org/nix/manual/#examples-23 > > ~ > > On 28 March 2016 at 13:17, Matthias Beyer wrote: > >> Hi, >> >> How is package signing this done by nix and how does it work for >> nixpkgs/nixos? >> I'm searching for resources on this because of my bachelors thesis and >> I'm not >> quite sure nix already does signing and the like. >> >> So all the "big" package managers (apt, yum, pacman,...) do some gpg foo >> to sign >> packages. How does this work in a nix context? Do we sign packages? Does >> nix >> verify signatures? Do we sign expressions? >> >> Is there any literature out there? I'm starting reading Eelcos papers >> now, maybe >> I can find something in there... >> >> (The context I'm asking this in is for traceability and auditability, my >> thesis >> focuses on Agent based intrusion detection systems and how they do >> software >> installations.) >> >> -- >> Mit freundlichen Grüßen, >> Kind regards, >> Matthias Beyer >> >> Proudly sent with mutt. >> Happily signed with gnupg. >> >> ___ >> nix-dev mailing list >> nix-dev@lists.science.uu.nl >> http://lists.science.uu.nl/mailman/listinfo/nix-dev >> >> > > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Question on package signing and security?
The manual has some info: https://nixos.org/nix/manual/#operation-generate-binary-cache-key It's a fairly straight forward private / public signing scheme. There's an example on how to verify integrity in the manual as well: https://nixos.org/nix/manual/#examples-23 ~ On 28 March 2016 at 13:17, Matthias Beyer wrote: > Hi, > > How is package signing this done by nix and how does it work for > nixpkgs/nixos? > I'm searching for resources on this because of my bachelors thesis and I'm > not > quite sure nix already does signing and the like. > > So all the "big" package managers (apt, yum, pacman,...) do some gpg foo > to sign > packages. How does this work in a nix context? Do we sign packages? Does > nix > verify signatures? Do we sign expressions? > > Is there any literature out there? I'm starting reading Eelcos papers now, > maybe > I can find something in there... > > (The context I'm asking this in is for traceability and auditability, my > thesis > focuses on Agent based intrusion detection systems and how they do software > installations.) > > -- > Mit freundlichen Grüßen, > Kind regards, > Matthias Beyer > > Proudly sent with mutt. > Happily signed with gnupg. > > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] Question on package signing and security?
Hi, How is package signing this done by nix and how does it work for nixpkgs/nixos? I'm searching for resources on this because of my bachelors thesis and I'm not quite sure nix already does signing and the like. So all the "big" package managers (apt, yum, pacman,...) do some gpg foo to sign packages. How does this work in a nix context? Do we sign packages? Does nix verify signatures? Do we sign expressions? Is there any literature out there? I'm starting reading Eelcos papers now, maybe I can find something in there... (The context I'm asking this in is for traceability and auditability, my thesis focuses on Agent based intrusion detection systems and how they do software installations.) -- Mit freundlichen Grüßen, Kind regards, Matthias Beyer Proudly sent with mutt. Happily signed with gnupg. signature.asc Description: PGP signature ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev