>> If you sign the script and it contains say sha512sums for the things it >> pulls you don't have to sign them separately. It's similiar to how many >> distributions only distribute one file with all the sums that is signed. > > I don't think there's no easy way for the user to verify such sums, as > they would be over large file trees. (Nix would do that but at this > point they don't have/trust it yet.)
The user doesn't verify those sums or signatures, the installation script does. The user only has to verify the installation script. > Perhaps if we built one big self-extracting script and signed it... if > you'd like to implement that ;-) This is waht the script currently does: url="https://nixos.org/releases/nix/nix-1.11.2/nix-1.11.2-$system.tar.bz2" curl -L "$url" | bzcat | tar x -C "$unpack" || oops "failed to unpack \`$url'" What it could do instead is: url="https://nixos.org/releases/nix/nix-1.11.2/nix-1.11.2-$system.tar.bz2" sig="https://nixos.org/releases/nix/nix-1.11.2/nix-1.11.2-$system.tar.bz2.sig" wget $url $sig || oops "download failed" gpg --verify "nix-1.11.2-$system.tar.bz2" "nix-1.11.2-$system.tar.bz2.sig" || oops "verification failed" tar -xjf -C "$unpack" "nix-1.11.2-$system.tar.bz2"" || oops "unpacking failed" Or you could just have the sha512sum embedded in the installation script: case "$(uname -s).$(uname -m)" in Linux.x86_64) system=x86_64-linux sum="f3934610bdc68b276a362b9079b18dd6d28221a727ec71ed3a3a11fddcee59dd2fa1ac401b3a25d668e880c04bcd4c971cf82861820b5ff678353f7e7ba1bfc41 nix-1.11.2-x86_64-linux.tar.bz2";; Linux.i?86) system=i686-linux sum="fa52b31a63603be5370c2a25ca9b192fbb8f50038904a9a4d590a6abefdb3b46c362d1f49dbee5fa09175ebdcbb84317615a3d647197da1485f5543d7ff7fc0a nix-1.11.2-i686-linux.tar.bz2";; Darwin.x86_64) system=x86_64-darwin sum="f0af3f2ca025fae9e026ce0ad53852d05faa0f11cf2a3be239d5dfec1a2c7f47cb9a43a17cd4c5894064fa9e99b444ab80b9ca0659011a21dc79269758c631ef6 nix-1.11.2-x86_64-darwin.tar.bz2";; *) oops "sorry, there is no binary distribution of Nix for your platform";; esac url="https://nixos.org/releases/nix/nix-1.11.2/nix-1.11.2-$system.tar.bz2" wget $url $sig || oops "download failed" [ "$(sha512sum nix-1.11.2-$system.tar.bz2)" = "$sum" ] || oops "verification failed" tar -xjf -C "$unpack" "nix-1.11.2-$system.tar.bz2" || oops "unpacking failed" Of course the gpg signature would be better because people can verify that manually as well, instead of having to verify the installation script and to verify the tarballs by proxy. _______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev