[Nix-dev] Binary trust
Kirill Elagin
kirelagin at gmail.com
Fri Apr 17 14:19:53 CEST 2015
That’s cool. Can you tell us more about the format of the keys etc.?
It looks like you rely on libsodium which in turn uses a kind of EdDSA, so
the `doc/signing.txt` is outdated.
I didn‘t dive into the code, but my guess is that the part before colon is
just the name of the key and the colon is followed by base64 which you
decode and feed to libsodium. Is that correct?
Does anyone know of any command-line tools for libsodium to play with the
signatures?
On Fri, Apr 17, 2015 at 2:43 PM Eelco Dolstra <eelco.dolstra at logicblox.com>
wrote:
> Hi,
>
> On 16/04/15 23:58, Vladimír Čunát wrote:
>
> > For the state of signing NARs see discussion at
> > https://github.com/NixOS/nix/issues/75
>
> I started signing new binaries in cache.nixos.org about 2 months ago. For
> example:
>
> > $ curl http://cache.nixos.org/17avgmlwqfcy8si4d195f8dkr7rlxf46.narinfo
> | grep Sig
> > Sig:
> cache.nixos.org-1:lp7+/SdKgObG+GHmgwmFT8xQHVZ+IuoRbpHzO6yVCk2m+X0bp4fF8fChRgpqPRlLtba6VRx67dd9UgyKS7xaDg==
>
> However, old binaries haven't been signed yet.
>
> Hydra.nixos.org produces signed binaries on the fly:
>
> > $ curl http://hydra.nixos.org/la5imi1602jxhpds9675n2n2d0683lbq.narinfo
> | grep Sig
> > Sig:
> hydra.nixos.org-1:FJabMP7BspE5TjdxUkHpAmiTa94x3gdZ1i/hP4gZi/3Z9nddgPUdceHLxs14mTySIgTsSXEq6fMTPvhUxuEIDQ==
>
> To verify signatures, you need a Nix 1.9 prerelease (1.8 already had
> experimental signature support, but I changed the format), and add this to
> nix.conf:
>
> signed-binary-caches = *
> binary-cache-public-keys = <one or more public keys>
>
> The public keys are:
>
> cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
> hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=
>
> On NixOS-unstable, you can just set
>
> nix.requireSignedBinaryCaches = true;
>
> The public key for cache.nixos.org is included by default. You can add
> additional ones:
>
> nix.binaryCachePublicKeys = [
> "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ];
>
> --
> Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20150417/5b9b957b/attachment.html
More information about the nix-dev
mailing list