nix-super/src/nix/key-generate-secret.md
2021-01-13 23:32:37 +01:00

48 lines
1.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

R""(
# Examples
* Generate a new secret key:
```console
# nix key generate-secret --key-name cache.example.org-1 > ./secret-key
```
We can then use this key to sign the closure of the Hello package:
```console
# nix build nixpkgs#hello
# nix store sign --key-file ./secret-key --recursive ./result
```
Finally, we can verify the store paths using the corresponding
public key:
```
# nix store verify --trusted-public-keys $(nix key convert-secret-to-public < ./secret-key) ./result
```
# Description
This command generates a new Ed25519 secret key for signing store
paths and prints it on standard output. Use `nix key
convert-secret-to-public` to get the corresponding public key for
verifying signed store paths.
The mandatory argument `--key-name` specifies a key name (such as
`cache.example.org-1). It is used to look up keys on the client when
it verifies signatures. It can be anything, but its suggested to use
the host name of your cache (e.g. `cache.example.org`) with a suffix
denoting the number of the key (to be incremented every time you need
to revoke a key).
# Format
Both secret and public keys are represented as the key name followed
by a base-64 encoding of the Ed25519 key data, e.g.
```
cache.example.org-0:E7lAO+MsPwTFfPXsdPtW8GKui/5ho4KQHVcAGnX+Tti1V4dUxoVoqLyWJ4YESuZJwQ67GVIksDt47og+tPVUZw==
```
)""