nix/doc/signing.txt

25 lines
635 B
Plaintext
Raw Normal View History

Generate a private key:
2014-11-08 21:39:50 +00:00
$ (umask 277 && openssl genrsa -out /etc/nix/signing-key.sec 2048)
The private key should be kept secret (only readable to the Nix daemon
user).
Generate the corresponding public key:
2014-11-08 21:39:50 +00:00
$ openssl rsa -in /etc/nix/signing-key.sec -pubout > /etc/nix/signing-key.pub
The public key should be copied to all machines to which you want to
export store paths.
Signing:
$ nix-hash --type sha256 --flat svn.nar | openssl rsautl -sign -inkey mykey.sec > svn.nar.sign
Verifying a signature:
$ test "$(nix-hash --type sha256 --flat svn.nar)" = "$(openssl rsautl -verify -inkey mykey.pub -pubin -in svn.nar.sign)"