FreeBSD Manual Pages

home | help
nix3-key-generate-secret(1) General Commands Manualnix3-key-generate-secret(1)

	      Warning
	      This  program  is	 experimental <../../development/experimental-
	      features.md#xp-feature-nix-command> and its interface is subject
	      to change.

Name
       nix key generate-secret - generate a secret key for signing store paths

Synopsis
       nix key generate-secret [option...]

Examples
       •  Generate a new secret	key:

       # nix key generate-secret --key-name cache.example.org-1	> ./secret-key

	      We can then use this key to sign the closure of the Hello	 pack-
	      age:

       # nix build nixpkgs#hello
       # nix store sign	--key-file ./secret-key	--recursive ./result

	      Finally,	we  can	verify the store paths using the corresponding
	      public key:

       # nix store verify --trusted-public-keys	$(nix key convert-secret-to-public < ./secret-key) ./result

Description
       This command generates a	new Ed25519 secret key for signing store paths
       and prints it on	standard output. Use nix key  convert-secret-to-public
       to get the corresponding	public key for verifying signed	store paths.

       The  mandatory  argument	 --key-name  specifies	a  key	name  (such as
       cache.example.org-1). It	is used	to look	up keys	on the client when  it
       verifies	 signatures.  It can be	anything, but its suggested to use the
       host name of your cache (e.g.  cache.example.org) with a	suffix	denot-
       ing the number of the key (to be	incremented every time you need	to re-
       voke a key).

Format
       Both secret and public keys are represented as the key name followed by
       a base-64 encoding of the Ed25519 key data, e.g.

       cache.example.org-0:E7lAO+MsPwTFfPXsdPtW8GKui/5ho4KQHVcAGnX+Tti1V4dUxoVoqLyWJ4YESuZJwQ67GVIksDt47og+tPVUZw==

Options
       •  --key-name <#opt-key-name> name

	  Identifier of	the key	(e.g. cache.example.org-1).

   Logging-related options
       •  --debug <#opt-debug>

	  Set the logging verbosity level to `debug'.

       •  --log-format <#opt-log-format> format

	  Set the format of log	output;	one of raw, internal-json, bar or bar-
	  with-logs.

       •  --print-build-logs <#opt-print-build-logs> / -L

	  Print	full build logs	on standard error.

       •  --quiet <#opt-quiet>

	  Decrease the logging verbosity level.

       •  --verbose <#opt-verbose> / -v

	  Increase the logging verbosity level.

   Miscellaneous global	options
       •  --help <#opt-help>

	  Show usage information.

       •  --offline <#opt-offline>

	  Disable  substituters	 and  consider all previously downloaded files
	  up-to-date.

       •  --option <#opt-option> name value

	  Set  the  Nix	 configuration	setting	 name  to  value   (overriding
	  nix.conf).

       •  --refresh <#opt-refresh>

	  Consider all previously downloaded files out-of-date.

       •  --version <#opt-version>

	  Show version information.

	  Note

	  See man nix.conf <../../command-ref/conf-file.md#command-line-flags>
	  for overriding configuration settings	with command line flags.

						   nix3-key-generate-secret(1)
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=nix3-key-generate-secret&sektion=1&manpath=FreeBSD+Ports+15.0>
home | help
Header And Logo

Peripheral Links

Site Navigation

FreeBSD Manual Pages

Header And Logo

Peripheral Links

Search

Site Navigation

FreeBSD Manual Pages
