aboutsummaryrefslogtreecommitdiff
path: root/src/nix/key-generate-secret.md
blob: 4938f637cf5181860a8c1de9734aaa9431d625c6 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
R""(

# Examples

* Generate a new secret key:

  ```console
  # nix key generate-secret --key-name cache.example.org-1 > ./secret-key
  ```

  We can then use this key to sign the closure of the Hello package:

  ```console
  # nix build nixpkgs#hello
  # nix store sign --key-file ./secret-key --recursive ./result
  ```

  Finally, we can verify the store paths using the corresponding
  public key:

  ```
  # nix store verify --trusted-public-keys $(nix key convert-secret-to-public < ./secret-key) ./result
  ```

# Description

This command generates a new Ed25519 secret key for signing store
paths and prints it on standard output. Use `nix key
convert-secret-to-public` to get the corresponding public key for
verifying signed store paths.

The mandatory argument `--key-name` specifies a key name (such as
`cache.example.org-1). It is used to look up keys on the client when
it verifies signatures. It can be anything, but it’s suggested to use
the host name of your cache (e.g.  `cache.example.org`) with a suffix
denoting the number of the key (to be incremented every time you need
to revoke a key).

# Format

Both secret and public keys are represented as the key name followed
by a base-64 encoding of the Ed25519 key data, e.g.

```
cache.example.org-0:E7lAO+MsPwTFfPXsdPtW8GKui/5ho4KQHVcAGnX+Tti1V4dUxoVoqLyWJ4YESuZJwQ67GVIksDt47og+tPVUZw==
```

)""