-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add an OpenPGP signature for every tarball on nixos.org #404
Comments
You're talking about tarballs.nixos.org? If so, what's the use? Fetchurl checks the hash so any tampering will be detected. |
I believe it was meant for (source) releases of nix itself, http://nixos.org/nix/download.html. |
How does the signing infrastructure work? All that would be needed is to I would like this too, it would give a some guarantee about the The signing key would have to be time-limited and signed by a bunch of |
It might be worth checking out http://theupdateframework.com/ |
http://nixos.org/nix/download.html now contains gpg keys. |
Add an OpenPGP signature for every tarball on nixos.org and instructions explaining how to verify them. Allow to download the tarballs directly instead of piping a script to 'sh' (as done with Nix). Sign the signing key itself and put it on the keyservers.
via IRC by "nkar"
The text was updated successfully, but these errors were encountered: