Require signed binary caches by default

2 files changed, 6 insertions, 1 deletions

diff --git a/nixos/doc/manual/release-notes/rl-unstable.xml b/nixos/doc/manual/release-notes/rl-unstable.xml
index ecde80f2a01d..6ae8cd83d3f4 100644
--- a/nixos/doc/manual/release-notes/rl-unstable.xml
+++ b/nixos/doc/manual/release-notes/rl-unstable.xml
@@ -56,6 +56,11 @@ default, unless you have a non-empty
 <command>cron</command> to be enabled, set
 <option>services.cron.enable = true</option>.</para></listitem>
 
+<listitem><para>Nix now requires binary caches to be cryptographically
+signed. If you have unsigned binary caches that you want to continue
+to use, you should set <option>nix.requireSignedBinaryCaches =
+false</option>.</para></listitem>
+
 <listitem><para>Steam now doesn't need root rights to work. Instead of using
 <literal>*-steam-chrootenv</literal>, you should now just run <literal>steam</literal>.
 <literal>steamChrootEnv</literal> package was renamed to <literal>steam</literal>,
diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix
index b5a8a7df9fca..49286f512bb9 100644
--- a/nixos/modules/services/misc/nix-daemon.nix
+++ b/nixos/modules/services/misc/nix-daemon.nix
@@ -254,7 +254,7 @@ in
 
       requireSignedBinaryCaches = mkOption {
         type = types.bool;
-        default = false;
+        default = true;
         description = ''
           If enabled, Nix will only download binaries from binary
           caches if they are cryptographically signed with any of the