about summary refs log tree commit diff
path: root/perl/lib/Nix/Config.pm.in
AgeCommit message (Collapse)AuthorFilesLines
2015-02-04 Use libsodium instead of OpenSSL for binary cache signingEelco Dolstra1-9/+18
Sodium's Ed25519 signatures are much shorter than OpenSSL's RSA signatures. Public keys are also much shorter, so they're now specified directly in the nix.conf option ‘binary-cache-public-keys’. The new command ‘nix-store --generate-binary-cache-key’ generates and prints a public and secret key.
2014-08-20 Use proper quotes everywhereEelco Dolstra1-1/+1
2014-01-21 Merge branch 'master' into makeEelco Dolstra1-1/+2
Conflicts: src/libexpr/eval.cc
2014-01-08 Support cryptographically signed binary cachesEelco Dolstra1-1/+2
NAR info files in binary caches can now have a cryptographic signature that Nix will verify before using the corresponding NAR file. To create a private/public key pair for signing and verifying a binary cache, do: $ openssl genrsa -out ./cache-key.sec 2048 $ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub You should also come up with a symbolic name for the key, such as "cache.example.org-1". This will be used by clients to look up the public key. (It's a good idea to number keys, in case you ever need to revoke/replace one.) To create a binary cache signed with the private key: $ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1 The public key (cache-key.pub) should be distributed to the clients. They should have a nix.conf should contain something like: signed-binary-caches = * binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub If all works well, then if Nix fetches something from the signed binary cache, you will see a message like: *** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’... On the other hand, if the signature is wrong, you get a message like NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring Signatures are implemented as a single line appended to the NAR info file, which looks like this: Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ== Thus the signature has 3 fields: a version (currently "1"), the ID of key, and the base64-encoded signature of the SHA-256 hash of the contents of the NAR info file up to but not including the Signature line. Issue #75.
2013-11-25 Add a Makefile for the Perl stuffEelco Dolstra1-1/+1
2012-07-30 Pass configuration settings to the substitutersEelco Dolstra1-1/+9
Previously substituters could read nix.conf themselves, but this didn't take --option flags into account.
2012-07-11 Set the User-Agent header to "Nix/<version>"Eelco Dolstra1-0/+2
2012-07-09 download-from-binary-cache: add nix.conf optionsEelco Dolstra1-3/+3
2012-06-29 First attempt at the manifest-less substituterEelco Dolstra1-0/+1
2012-06-29 Use XZ compression in binary cachesEelco Dolstra1-1/+2
XZ compresses significantly better than bzip2. Here are the compression ratios and execution times (using 4 cores in parallel) on my /var/run/current-system (3.1 GiB): bzip2: total compressed size 849.56 MiB, 30.8% [2m08] xz -6: total compressed size 641.84 MiB, 23.4% [6m53] xz -7: total compressed size 621.82 MiB, 22.6% [7m19] xz -8: total compressed size 599.33 MiB, 21.8% [7m18] xz -9: total compressed size 588.18 MiB, 21.4% [7m40] Note that compression takes much longer. More importantly, however, decompression is much faster: bzip2: 1m47.274s xz -6: 0m55.446s xz -7: 0m54.119s xz -8: 0m52.388s xz -9: 0m51.842s The only downside to using -9 is that decompression takes a fair amount (~65 MB) of memory.
2012-05-10 Support building with the Perl XS bindings disabledEelco Dolstra1-0/+2
Since the Perl bindings require shared libraries, this is required on platforms such as Cygwin where we do a static build.
2012-01-03 * Add a test for nix-channel.Eelco Dolstra1-0/+1
* Refactor the nix-channel unpacker a bit.
2011-11-23 * build-remote.pl: drop a hard-coded reference to /nix/etc/nix.Eelco Dolstra1-0/+1
2011-10-10 * Install NixManifest.pm, NixConfig.pm and GeneratePatches.pm underEelco Dolstra1-0/+25
the Nix:: namespace.