diff --git a/doc/manual/command-ref/conf-file.xml b/doc/manual/command-ref/conf-file.xml index ec96f750e..c947d19fa 100644 --- a/doc/manual/command-ref/conf-file.xml +++ b/doc/manual/command-ref/conf-file.xml @@ -401,6 +401,26 @@ flag, e.g. --option gc-keep-outputs false. + signed-binary-caches + + If set to *, Nix will only + download binaries if they are signed using one of the keys listed + in . + + + + + binary-cache-public-keys + + A whitespace-separated list of public keys + corresponding to the secret keys trusted to sign binary + caches. For example: + cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= + hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=. + + + + binary-caches-parallel-connections The maximum number of parallel HTTP connections diff --git a/doc/manual/command-ref/nix-push.xml b/doc/manual/command-ref/nix-push.xml index a3a3c9623..e9a8c645e 100644 --- a/doc/manual/command-ref/nix-push.xml +++ b/doc/manual/command-ref/nix-push.xml @@ -27,6 +27,7 @@ filename url + path paths @@ -43,7 +44,7 @@ source and instead download binaries from the cache automatically. nix-push performs the following actions. - + Each path in paths is @@ -155,6 +156,19 @@ automatically. + path + + Sign the binary cache using the secret key stored + in path. This secret key must have been + created using nix-store + --generate-binary-cache-key. Users of this binary cache + should add the corresponding public key to the option + in + nix.conf. + + + @@ -203,6 +217,40 @@ $ nix-pull http://example.org/cache to cause the binaries to be used by subsequent Nix operations. +To generate a signed binary cache, you must first generate a key +pair, in this example called cache.example.org-1, +storing the secret key in ./sk and the public key +in ./pk: + + +$ nix-store --generate-binary-cache-key cache.example.org-1 sk pk + +$ cat sk +cache.example.org-1:jcMRQYFo8pQKzTtimpQLIPeHkMYZjfhB24hGfwF+u9PuX8H8FO7q564+X3G/JDlqqIqGar3OXRRwS9N3Wh3vbw== + +$ cat pk +cache.example.org-1:7l/B/BTu6ueuPl9xvyQ5aqiKhmq9zl0UcEvTd1od728= + + +You can then generate a binary cache signed with the secret key: + + +$ nix-push --dest /tmp/cache --key-file ./sk $(type -p firefox) + + +Users who wish to verify the integrity of binaries downloaded from +your cache would add the following to their +nix.conf: + + +binary-caches = http://cache.example.org +signed-binary-caches = * +binary-cache-public-keys = cache.example.org-1:7l/B/BTu6ueuPl9xvyQ5aqiKhmq9zl0UcEvTd1od728= + + +Nix will then ignore any binary that has a missing, incorrect or +unrecognised signature. + @@ -224,7 +272,7 @@ Priority: 10 The properties that are currently supported are: - + StoreDir The path of the Nix store to which this binary @@ -303,12 +351,13 @@ NarHash: sha256:0s491y1h9hxj5ghiizlxk7ax6jwbha00zwn7lpyd5xg5bhf60vzg NarSize: 109521136 References: 2ma2k0ys8knh4an48n28vigcmc2z8773-linux-headers-2.6.23.16 ... Deriver: 7akyyc87ka32xwmqza9dvyg5pwx3j212-glibc-2.7.drv +Sig: cache.example.org-1:WepnSp2UT0odDpR3NRjPVhJBHmdBgSBSTbHpdh4SCz92nGXwFY82bkPEmISoC0hGqBXDXEmB6y3Ohgna3mMgDg== The fields are as follows: - + StorePath The full store path, including the name part @@ -381,6 +430,22 @@ The fields are as follows: + Sig + + A signature of the the form + key-name:sig, + where key-name is the symbolic name of + the key pair used to sign and verify the cache + (e.g. cache.example.org-1), and + sig is the actual signature, computed + over the StorePath, NarHash, + NarSize and References + fields using the Ed25519 public-key signature + system. + + + diff --git a/doc/manual/command-ref/nix-store.xml b/doc/manual/command-ref/nix-store.xml index a2faeaeba..e21d53d8b 100644 --- a/doc/manual/command-ref/nix-store.xml +++ b/doc/manual/command-ref/nix-store.xml @@ -1338,6 +1338,56 @@ $ nix-store --clear-failed-paths * + + +Operation <option>--generate-binary-cache-key</option> + + + Synopsis + + nix-store + + + + + + + + + +Description + +This command generates an Ed25519 key pair that can +be used to create a signed binary cache. It takes three mandatory +parameters: + + + + A key name, such as + cache.example.org-1, that is used to look up keys + on the client when it verifies signatures. It can be anything, but + it’s suggested to use the host name of your cache + (e.g. cache.example.org) with a suffix denoting + the number of the key (to be incremented every time you need to + revoke a key). + + The file name where the secret key is to be + stored. + + The file name where the public key is to be + stored. + + + +For an example, see the manual page for nix-push. + + + + + + Environment variables