aboutsummaryrefslogtreecommitdiff
path: root/doc/signing.txt
blob: 7403cac470b209fe0fa4044d051a5c322a11d736 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Generate a private key:

$ (umask 277 && openssl genrsa -out /etc/nix/signing-key.sec 2048)

The private key should be kept secret (only readable to the Nix daemon
user).


Generate the corresponding public key:

$ openssl rsa -in /etc/nix/signing-key.sec -pubout > /etc/nix/signing-key.pub

The public key should be copied to all machines to which you want to
export store paths.


Signing:

$ nix-hash --type sha256 --flat svn.nar | openssl rsautl -sign -inkey mykey.sec > svn.nar.sign


Verifying a signature:

$ test "$(nix-hash --type sha256 --flat svn.nar)" = "$(openssl rsautl -verify -inkey mykey.pub -pubin -in svn.nar.sign)"