diff options
| author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2015-02-19 14:15:02 +0100 |
|---|---|---|
| committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2015-02-19 14:22:43 +0100 |
| commit | 5762f8f95c802165d374ece8154a6a79aa9a70a0 (patch) | |
| tree | 88383e682c8481bd702472f406720e5597471f68 /nixos | |
| parent | ebfadc2fc93821fa9d4ce2571109d17d44b79ec6 (diff) | |
| download | nixlib-5762f8f95c802165d374ece8154a6a79aa9a70a0.tar nixlib-5762f8f95c802165d374ece8154a6a79aa9a70a0.tar.gz nixlib-5762f8f95c802165d374ece8154a6a79aa9a70a0.tar.bz2 nixlib-5762f8f95c802165d374ece8154a6a79aa9a70a0.tar.lz nixlib-5762f8f95c802165d374ece8154a6a79aa9a70a0.tar.xz nixlib-5762f8f95c802165d374ece8154a6a79aa9a70a0.tar.zst nixlib-5762f8f95c802165d374ece8154a6a79aa9a70a0.zip | |
Add options to support signed binary caches
Typical use:
nix.requireSignedBinaryCaches = true;
nix.binaryCachePublicKeys = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ];
(The public key of cache.nixos.org is included by default.)
Note that this requires Nix 1.9 and that most of cache.nixos.org
hasn't been signed yet.
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/misc/nix-daemon.nix | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index 81fabd1923f9..f231998d8f47 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -41,6 +41,10 @@ let build-chroot-dirs = ${toString cfg.chrootDirs} /bin/sh=${sh} $(echo $extraPaths) binary-caches = ${toString cfg.binaryCaches} trusted-binary-caches = ${toString cfg.trustedBinaryCaches} + binary-cache-public-keys = ${toString cfg.binaryCachePublicKeys} + ${optionalString cfg.requireSignedBinaryCaches '' + signed-binary-caches = * + ''} $extraOptions END ''; @@ -244,6 +248,33 @@ in ''; }; + requireSignedBinaryCaches = mkOption { + type = types.bool; + default = false; + description = '' + If enabled, Nix will only download binaries from binary + caches if they are cryptographically signed with any of the + keys listed in + <option>nix.binaryCachePublicKeys</option>. If disabled (the + default), signatures are neither required nor checked, so + it's strongly recommended that you use only trustworthy + caches and https to prevent man-in-the-middle attacks. + ''; + }; + + binaryCachePublicKeys = mkOption { + type = types.listOf types.str; + example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ]; + description = '' + List of public keys used to sign binary caches. If + <option>nix.requireSignedBinaryCaches</option> is enabled, + then Nix will use a binary from a binary cache if and only + if it is signed by <emphasis>any</emphasis> of the keys + listed here. By default, only the key for + <uri>cache.nixos.org</uri> is included. + ''; + }; + }; }; @@ -253,6 +284,8 @@ in config = { + nix.binaryCachePublicKeys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ]; + environment.etc."nix/nix.conf".source = nixConf; # List of machines for distributed Nix builds in the format |