Document secret-key-files

1 files changed, 16 insertions, 3 deletions

diff --git a/doc/manual/command-ref/conf-file.xml b/doc/manual/command-ref/conf-file.xml
index c3a9cc56063a..868cca1da409 100644
--- a/doc/manual/command-ref/conf-file.xml
+++ b/doc/manual/command-ref/conf-file.xml
@@ -408,9 +408,9 @@ false</literal>.</para>
     any non-content-addressed path added or copied to the Nix store
     (e.g. when substituting from a binary cache) must have a valid
     signature, that is, be signed using one of the keys listed in
-    <option>trusted-public-keys</option>. Set to
-    <literal>false</literal> to disable signature
-    checking.</para></listitem>
+    <option>trusted-public-keys</option> or
+    <option>secret-key-files</option>. Set to <literal>false</literal>
+    to disable signature checking.</para></listitem>
 
   </varlistentry>
 
@@ -426,6 +426,19 @@ false</literal>.</para>
   </varlistentry>
 
 
+  <varlistentry><term><literal>secret-key-files</literal></term>
+
+    <listitem><para>A whitespace-separated list of files containing
+    secret (private) keys. These are used to sign locally-built
+    paths. They can be generated using <command>nix-store
+    --generate-binary-cache-key</command>. The corresponding public
+    key can be distributed to other users, who can add it to
+    <option>trusted-public-keys</option> in their
+    <filename>nix.conf</filename>.</para></listitem>
+
+  </varlistentry>
+
+
   <varlistentry><term><literal>http-connections</literal></term>
 
     <listitem><para>The maximum number of parallel TCP connections