That’s cool. Can you tell us more about the format of the keys etc.?
It looks like you rely on libsodium which in turn uses a kind of EdDSA, so
the `doc/signing.txt` is outdated.
I didn‘t dive into the code, but my guess is that the part before colon is
just the name of the key and the colon is
Hi Kirill,
Actually, that’s an interesting question. I always assumed they were
signed (AFAIK `nix-store` is able to check signatures contained inside
NAR-files), but now I wonder how does hydra.cryp.to sign NAR’s…
it's my understanding that the content from binary caches is not signed in
Actually, that’s an interesting question. I always assumed they were signed
(AFAIK `nix-store` is able to check signatures contained inside NAR-files),
but now I wonder how does hydra.cryp.to sign NAR’s…
On Thu, Apr 16, 2015 at 9:09 PM Ertugrul Söylemez ert...@gmx.de wrote:
Hi Kirill,
That’s not cool at all.
An easy way would be to force TLS.
Another option could be to sign NARs with a certificate tied to the
hostname of the trusted binary cache and issued by a special NixOS/Nixpkgs
CA.
On Thu, Apr 16, 2015 at 11:30 PM Peter Simons sim...@cryp.to wrote:
Hi Kirill,
Hi Kirill,
nix-env \
--option extra-binary-caches https://hydra.nixos.org \
--option extra-binary-caches https://hydra.cryp.to \
-iA nixos.pkgs.hsEnv
Might it be the case that you are running nix in daemon mode and thus it
ignores `binary-caches`?
That did it! Since I'm