That’s cool. Can you tell us more about the format of the keys etc.? It looks like you rely on libsodium which in turn uses a kind of EdDSA, so the `doc/signing.txt` is outdated. I didn‘t dive into the code, but my guess is that the part before colon is just the name of the key and the colon is followed by base64 which you decode and feed to libsodium. Is that correct?
Does anyone know of any command-line tools for libsodium to play with the signatures? On Fri, Apr 17, 2015 at 2:43 PM Eelco Dolstra <eelco.dols...@logicblox.com> wrote: > Hi, > > On 16/04/15 23:58, Vladimír Čunát wrote: > > > For the state of signing NARs see discussion at > > https://github.com/NixOS/nix/issues/75 > > I started signing new binaries in cache.nixos.org about 2 months ago. For > example: > > > $ curl http://cache.nixos.org/17avgmlwqfcy8si4d195f8dkr7rlxf46.narinfo > | grep Sig > > Sig: > cache.nixos.org-1:lp7+/SdKgObG+GHmgwmFT8xQHVZ+IuoRbpHzO6yVCk2m+X0bp4fF8fChRgpqPRlLtba6VRx67dd9UgyKS7xaDg== > > However, old binaries haven't been signed yet. > > Hydra.nixos.org produces signed binaries on the fly: > > > $ curl http://hydra.nixos.org/la5imi1602jxhpds9675n2n2d0683lbq.narinfo > | grep Sig > > Sig: > hydra.nixos.org-1:FJabMP7BspE5TjdxUkHpAmiTa94x3gdZ1i/hP4gZi/3Z9nddgPUdceHLxs14mTySIgTsSXEq6fMTPvhUxuEIDQ== > > To verify signatures, you need a Nix 1.9 prerelease (1.8 already had > experimental signature support, but I changed the format), and add this to > nix.conf: > > signed-binary-caches = * > binary-cache-public-keys = <one or more public keys> > > The public keys are: > > cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= > hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs= > > On NixOS-unstable, you can just set > > nix.requireSignedBinaryCaches = true; > > The public key for cache.nixos.org is included by default. You can add > additional ones: > > nix.binaryCachePublicKeys = [ > "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ]; > > -- > Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/ > _______________________________________________ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev >
_______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
