diff --git a/doc/manual/command-ref/conf-file.xml b/doc/manual/command-ref/conf-file.xml
index fb4d8cefc..a28f70899 100644
--- a/doc/manual/command-ref/conf-file.xml
+++ b/doc/manual/command-ref/conf-file.xml
@@ -406,17 +406,17 @@ false</literal>.</para>
 
     <listitem><para>If set to <literal>*</literal> (the default), Nix
     will only download binaries if they are signed using one of the
-    keys listed in <option>binary-cache-public-keys</option>. Set to
+    keys listed in <option>trusted-public-keys</option>. Set to
     the empty string to disable signature checking.</para></listitem>
 
   </varlistentry>
 
 
-  <varlistentry><term><literal>binary-cache-public-keys</literal></term>
+  <varlistentry><term><literal>trusted-public-keys</literal></term>
 
-    <listitem><para>A whitespace-separated list of public keys
-    corresponding to the secret keys trusted to sign binary
-    caches. For example:
+    <listitem><para>A whitespace-separated list of public keys. When
+    paths are copied from another Nix store (such as a binary cache),
+    they must be signed with one of these keys. For example:
     <literal>cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
     hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=</literal>.</para></listitem>
 
diff --git a/src/libstore/crypto.cc b/src/libstore/crypto.cc
index f56a6adab..9ec8abd22 100644
--- a/src/libstore/crypto.cc
+++ b/src/libstore/crypto.cc
@@ -105,7 +105,7 @@ PublicKeys getDefaultPublicKeys()
 
     // FIXME: filter duplicates
 
-    for (auto s : settings.binaryCachePublicKeys.get()) {
+    for (auto s : settings.trustedPublicKeys.get()) {
         PublicKey key(s);
         publicKeys.emplace(key.name, key);
     }
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index a4aa842d7..70c01bb32 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -259,10 +259,11 @@ public:
     Setting<bool> enforceDeterminism{this, true, "enforce-determinism",
         "Whether to fail if repeated builds produce different output."};
 
-    Setting<Strings> binaryCachePublicKeys{this,
+    Setting<Strings> trustedPublicKeys{this,
         {"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="},
-        "binary-cache-public-keys",
-        "Trusted public keys for secure substitution."};
+        "trusted-public-keys",
+        "Trusted public keys for secure substitution.",
+        {"binary-cache-public-keys"}};
 
     Setting<Strings> secretKeyFiles{this, {}, "secret-key-files",
         "Secret keys with which to sign local builds."};
diff --git a/tests/binary-cache.sh b/tests/binary-cache.sh
index 2a044d2ed..f7c0b2f78 100644
--- a/tests/binary-cache.sh
+++ b/tests/binary-cache.sh
@@ -131,11 +131,11 @@ clearCacheCache
 clearStore
 clearCacheCache
 
-(! nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' --option binary-cache-public-keys "$badKey")
+(! nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' --option trusted-public-keys "$badKey")
 
 
 # It should succeed if we provide the correct key.
-nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' --option binary-cache-public-keys "$otherKey $publicKey"
+nix-store -r $outPath --option binary-caches "file://$cacheDir" --option signed-binary-caches '*' --option trusted-public-keys "$otherKey $publicKey"
 
 
 # It should fail if we corrupt the .narinfo.
@@ -152,10 +152,10 @@ done
 
 clearCacheCache
 
-(! nix-store -r $outPath --option binary-caches "file://$cacheDir2" --option signed-binary-caches '*' --option binary-cache-public-keys "$publicKey")
+(! nix-store -r $outPath --option binary-caches "file://$cacheDir2" --option signed-binary-caches '*' --option trusted-public-keys "$publicKey")
 
 # If we provide a bad and a good binary cache, it should succeed.
 
-nix-store -r $outPath --option binary-caches "file://$cacheDir2 file://$cacheDir" --option signed-binary-caches '*' --option binary-cache-public-keys "$publicKey"
+nix-store -r $outPath --option binary-caches "file://$cacheDir2 file://$cacheDir" --option signed-binary-caches '*' --option trusted-public-keys "$publicKey"
 
 fi # HAVE_LIBSODIUM
diff --git a/tests/signing.sh b/tests/signing.sh
index bef27ac7a..39aaa1e76 100644
--- a/tests/signing.sh
+++ b/tests/signing.sh
@@ -22,13 +22,13 @@ nix verify -r $outPath
 
 expect 2 nix verify -r $outPath --sigs-needed 1
 
-nix verify -r $outPath --sigs-needed 1 --binary-cache-public-keys $pk1
+nix verify -r $outPath --sigs-needed 1 --trusted-public-keys $pk1
 
-expect 2 nix verify -r $outPath --sigs-needed 2 --binary-cache-public-keys $pk1
+expect 2 nix verify -r $outPath --sigs-needed 2 --trusted-public-keys $pk1
 
-nix verify -r $outPath --sigs-needed 2 --binary-cache-public-keys "$pk1 $pk2"
+nix verify -r $outPath --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
 
-nix verify --all --sigs-needed 2 --binary-cache-public-keys "$pk1 $pk2"
+nix verify --all --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
 
 # Build something unsigned.
 outPath2=$(nix-build simple.nix --no-out-link)
@@ -45,12 +45,12 @@ nix verify -r $outPath2
 
 expect 2 nix verify -r $outPath2 --sigs-needed 1
 
-expect 2 nix verify -r $outPath2 --sigs-needed 1 --binary-cache-public-keys $pk1
+expect 2 nix verify -r $outPath2 --sigs-needed 1 --trusted-public-keys $pk1
 
 # Test "nix sign-paths".
 nix sign-paths --key-file $TEST_ROOT/sk1 $outPath2
 
-nix verify -r $outPath2 --sigs-needed 1 --binary-cache-public-keys $pk1
+nix verify -r $outPath2 --sigs-needed 1 --trusted-public-keys $pk1
 
 # Copy to a binary cache.
 nix copy --to file://$cacheDir $outPath2