forked from lix-project/lix
Remove references to old-school signing
This commit is contained in:
parent
bb1034316d
commit
525c78a2c3
|
@ -22,7 +22,6 @@
|
||||||
<arg choice='plain'><option>--to</option></arg>
|
<arg choice='plain'><option>--to</option></arg>
|
||||||
<arg choice='plain'><option>--from</option></arg>
|
<arg choice='plain'><option>--from</option></arg>
|
||||||
</group>
|
</group>
|
||||||
<arg><option>--sign</option></arg>
|
|
||||||
<arg><option>--gzip</option></arg>
|
<arg><option>--gzip</option></arg>
|
||||||
<!--
|
<!--
|
||||||
<arg><option>- -show-progress</option></arg>
|
<arg><option>- -show-progress</option></arg>
|
||||||
|
@ -87,23 +86,6 @@ those paths. If this bothers you, use
|
||||||
|
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry><term><option>--sign</option></term>
|
|
||||||
|
|
||||||
<listitem><para>Let the sending machine cryptographically sign the
|
|
||||||
dump of each path with the key in
|
|
||||||
<filename><replaceable>sysconfdir</replaceable>/nix/signing-key.sec</filename>.
|
|
||||||
If the user on the target machine does not have direct access to
|
|
||||||
the Nix store (i.e., if the target machine has a multi-user Nix
|
|
||||||
installation), then the target machine will check the dump against
|
|
||||||
<filename><replaceable>sysconfdir</replaceable>/nix/signing-key.pub</filename>
|
|
||||||
before unpacking it in its Nix store. This allows secure sharing
|
|
||||||
of store paths between untrusted users on two machines, provided
|
|
||||||
that there is a trust relation between the Nix installations on
|
|
||||||
both machines (namely, they have matching public/secret
|
|
||||||
keys).</para></listitem>
|
|
||||||
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry><term><option>--gzip</option></term>
|
<varlistentry><term><option>--gzip</option></term>
|
||||||
|
|
||||||
<listitem><para>Enable compression of the SSH
|
<listitem><para>Enable compression of the SSH
|
||||||
|
|
|
@ -1,24 +0,0 @@
|
||||||
Generate a private key:
|
|
||||||
|
|
||||||
$ (umask 277 && openssl genrsa -out /etc/nix/signing-key.sec 2048)
|
|
||||||
|
|
||||||
The private key should be kept secret (only readable to the Nix daemon
|
|
||||||
user).
|
|
||||||
|
|
||||||
|
|
||||||
Generate the corresponding public key:
|
|
||||||
|
|
||||||
$ openssl rsa -in /etc/nix/signing-key.sec -pubout > /etc/nix/signing-key.pub
|
|
||||||
|
|
||||||
The public key should be copied to all machines to which you want to
|
|
||||||
export store paths.
|
|
||||||
|
|
||||||
|
|
||||||
Signing:
|
|
||||||
|
|
||||||
$ nix-hash --type sha256 --flat svn.nar | openssl rsautl -sign -inkey mykey.sec > svn.nar.sign
|
|
||||||
|
|
||||||
|
|
||||||
Verifying a signature:
|
|
||||||
|
|
||||||
$ test "$(nix-hash --type sha256 --flat svn.nar)" = "$(openssl rsautl -verify -inkey mykey.pub -pubin -in svn.nar.sign)"
|
|
Loading…
Reference in a new issue