diff options
| author | Eelco Dolstra <edolstra@gmail.com> | 2022-03-22 21:54:49 +0100 |
|---|---|---|
| committer | Eelco Dolstra <edolstra@gmail.com> | 2022-03-24 21:33:33 +0100 |
| commit | 5acaf13d3564f689e5461f29a9cc5958809d5e93 (patch) | |
| tree | 89c5ba12c665b9f3a68b1c17653d3532267b0125 /src/nix/make-content-addressed.md | |
| parent | f18607549ce38545b1d754ed93f3b7c5417970d8 (diff) | |
Rename 'nix store make-content-addressable' to 'nix store make-content-addressed'
Diffstat (limited to 'src/nix/make-content-addressed.md')
| -rw-r--r-- | src/nix/make-content-addressed.md | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/src/nix/make-content-addressed.md b/src/nix/make-content-addressed.md new file mode 100644 index 000000000..215683e6d --- /dev/null +++ b/src/nix/make-content-addressed.md @@ -0,0 +1,59 @@ +R""( + +# Examples + +* Create a content-addressed representation of the closure of GNU Hello: + + ```console + # nix store make-content-addressed nixpkgs#hello + … + rewrote '/nix/store/v5sv61sszx301i0x6xysaqzla09nksnd-hello-2.10' to '/nix/store/5skmmcb9svys5lj3kbsrjg7vf2irid63-hello-2.10' + ``` + + Since the resulting paths are content-addressed, they are always + trusted and don't need signatures to copied to another store: + + ```console + # nix copy --to /tmp/nix --trusted-public-keys '' /nix/store/5skmmcb9svys5lj3kbsrjg7vf2irid63-hello-2.10 + ``` + + By contrast, the original closure is input-addressed, so it does + need signatures to be trusted: + + ```console + # nix copy --to /tmp/nix --trusted-public-keys '' nixpkgs#hello + cannot add path '/nix/store/zy9wbxwcygrwnh8n2w9qbbcr6zk87m26-libunistring-0.9.10' because it lacks a valid signature + ``` + +* Create a content-addressed representation of the current NixOS + system closure: + + ```console + # nix store make-content-addressed /run/current-system + ``` + +# Description + +This command converts the closure of the store paths specified by +*installables* to content-addressed form. Nix store paths are usually +*input-addressed*, meaning that the hash part of the store path is +computed from the contents of the derivation (i.e., the build-time +dependency graph). Input-addressed paths need to be signed by a +trusted key if you want to import them into a store, because we need +to trust that the contents of the path were actually built by the +derivation. + +By contrast, in a *content-addressed* path, the hash part is computed +from the contents of the path. This allows the contents of the path to +be verified without any additional information such as +signatures. This means that a command like + +```console +# nix store build /nix/store/5skmmcb9svys5lj3kbsrjg7vf2irid63-hello-2.10 \ + --substituters https://my-cache.example.org +``` + +will succeed even if the binary cache `https://my-cache.example.org` +doesn't present any signatures. + +)"" |