aboutsummaryrefslogtreecommitdiff
path: root/src/nix/make-content-addressed.md
diff options
context:
space:
mode:
authorEelco Dolstra <edolstra@gmail.com>2022-03-22 21:54:49 +0100
committerEelco Dolstra <edolstra@gmail.com>2022-03-24 21:33:33 +0100
commit5acaf13d3564f689e5461f29a9cc5958809d5e93 (patch)
tree89c5ba12c665b9f3a68b1c17653d3532267b0125 /src/nix/make-content-addressed.md
parentf18607549ce38545b1d754ed93f3b7c5417970d8 (diff)
Rename 'nix store make-content-addressable' to 'nix store make-content-addressed'
Diffstat (limited to 'src/nix/make-content-addressed.md')
-rw-r--r--src/nix/make-content-addressed.md59
1 files changed, 59 insertions, 0 deletions
diff --git a/src/nix/make-content-addressed.md b/src/nix/make-content-addressed.md
new file mode 100644
index 000000000..215683e6d
--- /dev/null
+++ b/src/nix/make-content-addressed.md
@@ -0,0 +1,59 @@
+R""(
+
+# Examples
+
+* Create a content-addressed representation of the closure of GNU Hello:
+
+ ```console
+ # nix store make-content-addressed nixpkgs#hello
+ …
+ rewrote '/nix/store/v5sv61sszx301i0x6xysaqzla09nksnd-hello-2.10' to '/nix/store/5skmmcb9svys5lj3kbsrjg7vf2irid63-hello-2.10'
+ ```
+
+ Since the resulting paths are content-addressed, they are always
+ trusted and don't need signatures to copied to another store:
+
+ ```console
+ # nix copy --to /tmp/nix --trusted-public-keys '' /nix/store/5skmmcb9svys5lj3kbsrjg7vf2irid63-hello-2.10
+ ```
+
+ By contrast, the original closure is input-addressed, so it does
+ need signatures to be trusted:
+
+ ```console
+ # nix copy --to /tmp/nix --trusted-public-keys '' nixpkgs#hello
+ cannot add path '/nix/store/zy9wbxwcygrwnh8n2w9qbbcr6zk87m26-libunistring-0.9.10' because it lacks a valid signature
+ ```
+
+* Create a content-addressed representation of the current NixOS
+ system closure:
+
+ ```console
+ # nix store make-content-addressed /run/current-system
+ ```
+
+# Description
+
+This command converts the closure of the store paths specified by
+*installables* to content-addressed form. Nix store paths are usually
+*input-addressed*, meaning that the hash part of the store path is
+computed from the contents of the derivation (i.e., the build-time
+dependency graph). Input-addressed paths need to be signed by a
+trusted key if you want to import them into a store, because we need
+to trust that the contents of the path were actually built by the
+derivation.
+
+By contrast, in a *content-addressed* path, the hash part is computed
+from the contents of the path. This allows the contents of the path to
+be verified without any additional information such as
+signatures. This means that a command like
+
+```console
+# nix store build /nix/store/5skmmcb9svys5lj3kbsrjg7vf2irid63-hello-2.10 \
+ --substituters https://my-cache.example.org
+```
+
+will succeed even if the binary cache `https://my-cache.example.org`
+doesn't present any signatures.
+
+)""