Man page - nix3-key-generate-secret(1)
Packages contains this manual
- nix3-store-prefetch-file(1)
- nix3-flake(1)
- nix-instantiate(1)
- nix-profiles(5)
- nix3-store-sign(1)
- nix3-hash-to-sri(1)
- nix3-nar-ls(1)
- nix-store-verify(1)
- nix3-profile-wipe-history(1)
- nix3-derivation-add(1)
- nix-env-upgrade(1)
- nix3-store-add(1)
- nix(1)
- nix3-store-verify(1)
- nix-env-list-generations(1)
- nix3-store-repair(1)
- nix-store-query(1)
- nix3-flake-archive(1)
- nix-store-load-db(1)
- nix3-store-dump-path(1)
- nix3-realisation(1)
- nix3-derivation-show(1)
- nix3-store-path-from-hash-part(1)
- nix3-flake-prefetch(1)
- nix3-develop(1)
- nix3-help(1)
- nix3-store-make-content-addressed(1)
- nix3-hash-to-base64(1)
- nix3-log(1)
- nix3-nar(1)
- nix-store-import(1)
- nix3-registry-pin(1)
- nix3-config(1)
- nix3-copy(1)
- nix3-nar-pack(1)
- nix3-nar-cat(1)
- nix3-store-cat(1)
- nix-store-realise(1)
- nix3-key(1)
- nix3-run(1)
- nix3-store-copy-sigs(1)
- nix3-flake-check(1)
- nix3-hash-path(1)
- nix-channel(1)
- nix-store-gc(1)
- nix-build(1)
- nix-store-dump-db(1)
- nix3-flake-clone(1)
- nix3-registry-remove(1)
- nix-store-add-fixed(1)
- nix3-print-dev-env(1)
- nix3-help-stores(1)
- nix3-key-convert-secret-to-public(1)
- nix-env(1)
- nix3-profile(1)
- nix3-profile-list(1)
- nix3-store-ls(1)
- nix3-profile-install(1)
- nix3-flake-lock(1)
- nix-store-dump(1)
- nix-store-delete(1)
- nix3-hash(1)
- nix-env-install(1)
- nix-store-repair-path(1)
- nix3-daemon(1)
- nix3-config-show(1)
- nix3-flake-init(1)
- nix3-profile-diff-closures(1)
- nix3-hash-to-base16(1)
- nix-store-read-log(1)
- nix.conf(5)
- nix3-store-copy-log(1)
- nix3-eval(1)
- nix3-store-info(1)
- nix3-repl(1)
- nix-hash(1)
- nix3-store-add-path(1)
- nix-collect-garbage(1)
- nix3-key-generate-secret(1)
- nix-store-optimise(1)
- nix-store-print-env(1)
- nix3-store-diff-closures(1)
- nix3-flake-new(1)
- nix3-flake-metadata(1)
- nix3-config-check(1)
- nix-store-serve(1)
- nix3-store-gc(1)
- nix-store-generate-binary-cache-key(1)
- nix-store(1)
- nix3-upgrade-nix(1)
- nix-env-switch-generation(1)
- nix3-why-depends(1)
- nix3-path-info(1)
- nix3-store-add-file(1)
- nix3-profile-remove(1)
- nix3-registry-list(1)
- nix3-fmt(1)
- nix3-derivation(1)
- nix3-env-shell(1)
- nix-env-query(1)
- nix-env-switch-profile(1)
- nix3-flake-show(1)
- nix-copy-closure(1)
- nix-env-delete-generations(1)
- nix3-store(1)
- nix3-realisation-info(1)
- nix-daemon(8)
- nix3-hash-convert(1)
- nix-env-set-flag(1)
- nix3-registry(1)
- nix3-bundle(1)
- nix3-profile-upgrade(1)
- nix3-profile-rollback(1)
- nix-prefetch-url(1)
- nix3-edit(1)
- nix3-store-ping(1)
- nix3-store-optimise(1)
- nix-store-add(1)
- nix-store-restore(1)
- nix3-flake-info(1)
- nix-store-export(1)
- nix-store-verify-path(1)
- nix3-store-delete(1)
- nix3-registry-add(1)
- nix3-build(1)
- nix3-nar-dump-path(1)
- nix3-search(1)
- nix-shell(1)
- nix3-hash-file(1)
- nix3-profile-history(1)
- nix-env-uninstall(1)
- nix3-flake-update(1)
- nix-env-set(1)
- nix-env-rollback(1)
- nix3-hash-to-base32(1)
apt-get install nix-bin
Manual
nix3-key-generate-secret
NameSynopsis
Examples
Description
Format
Options
Logging-related options
Miscellaneous global options
Warning
This program is
experimental
and its interface is subject to change.
Name
nix key generate-secret - generate a secret key for signing store paths
Synopsis
nix key generate-secret [ option β¦]
Examples
|
β’ |
Generate a new secret key: |
# nix key generate-secret --key-name cache.example.org-1 > ./secret-key
We can then use this key to sign the closure of the Hello package:
# nix build
nixpkgs#hello
# nix store sign --key-file ./secret-key --recursive
./result
Finally, we can verify the store paths using the corresponding public key:
# nix store verify --trusted-public-keys $(nix key convert-secret-to-public < ./secret-key) ./result
Description
This command generates a new Ed25519 secret key for signing store paths and prints it on standard output. Use nix key convert-secret-to-public to get the corresponding public key for verifying signed store paths.
The mandatory argument --key-name specifies a key name (such as cache.example.org-1). It is used to look up keys on the client when it verifies signatures. It can be anything, but itβs suggested to use the host name of your cache (e.g. cache.example.org) with a suffix denoting the number of the key (to be incremented every time you need to revoke a key).
Format
Both secret and public keys are represented as the key name followed by a base-64 encoding of the Ed25519 key data, e.g.
cache.example.org-0:E7lAO+MsPwTFfPXsdPtW8GKui/5ho4KQHVcAGnX+Tti1V4dUxoVoqLyWJ4YESuZJwQ67GVIksDt47og+tPVUZw==
Options
|
β’ |
--key-name name |
Identifier of the key (e.g. cache.example.org-1).
Logging-related options
|
β’ |
Set the logging verbosity level to βdebugβ.
|
β’ |
--log-format format |
Set the format of log output; one of raw, internal-json, bar or bar-with-logs.
|
β’ |
--print-build-logs / -L |
Print full build logs on standard error.
|
β’ |
Decrease the logging verbosity level.
|
β’ |
--verbose / -v |
Increase the logging verbosity level.
Miscellaneous global options
|
β’ |
Show usage information.
|
β’ |
Disable substituters and consider all previously downloaded files up-to-date.
|
β’ |
--option name value |
Set the Nix configuration setting name to value (overriding nix.conf).
|
β’ |
Consider all previously downloaded files out-of-date.
|
β’ |
Show version information.
Note
See man nix.conf for overriding configuration settings with command line flags.