Add an OpenPGP signature for every tarball on nixos.org

[domenkozar]

Add an OpenPGP signature for every tarball on nixos.org and instructions explaining how to verify them. Allow to download the tarballs directly instead of piping a script to 'sh' (as done with Nix). Sign the signing key itself and put it on the keyservers.

via IRC by "nkar"

[edolstra]

You're talking about tarballs.nixos.org? If so, what's the use? Fetchurl checks the hash so any tampering will be detected.

[vcunat]

I believe it was meant for (source) releases of nix itself, http://nixos.org/nix/download.html.

[wmertens]

How does the signing infrastructure work? All that would be needed is to
sign a list of checksums of all current tarballs.

I would like this too, it would give a some guarantee about the
trustworthiness of binaries downloaded from Hydra.

The signing key would have to be time-limited and signed by a bunch of
developers so that it couldn't be easily faked (with e.g. a dns attack
sending a victim to a nefarious hydra).

[domenkozar]

It might be worth checking out http://theupdateframework.com/

[domenkozar]

http://nixos.org/nix/download.html now contains gpg keys.