mirror of
https://github.com/NixOS/nix.git
synced 2024-11-01 14:50:49 +00:00
46e0919ced
in /nix/etc/nix/signing-key.sec
25 lines
647 B
Plaintext
25 lines
647 B
Plaintext
Generate a private key:
|
|
|
|
$ (umask 277 && openssl genrsa -out /nix/etc/nix/signing-key.sec 2048)
|
|
|
|
The private key should be kept secret (only readable to the Nix daemon
|
|
user).
|
|
|
|
|
|
Generate the corresponding public key:
|
|
|
|
$ openssl rsa -in /nix/etc/nix/signing-key.sec -pubout > /nix/etc/nix/signing-key.pub
|
|
|
|
The public key should be copied to all machines to which you want to
|
|
export store paths.
|
|
|
|
|
|
Signing:
|
|
|
|
$ nix-hash --type sha256 --flat svn.nar | openssl rsautl -sign -inkey mykey.sec > svn.nar.sign
|
|
|
|
|
|
Verifying a signature:
|
|
|
|
$ test "$(nix-hash --type sha256 --flat svn.nar)" = "$(openssl rsautl -verify -inkey mykey.pub -pubin -in svn.nar.sign)"
|