.\" -*- mode: troff; coding: utf-8 -*- .TH "nix3-key-generate-secret" "1" "" .RS .PP \fBWarning\fR .br This program is \fB\fBexperimental\fR\fR and its interface is subject to change. .RE .SH Name .LP \f(CRnix key generate-secret\fR - generate a secret key for signing store paths .SH Synopsis .LP \f(CRnix key generate-secret\fR [\fIoption\fR\[u2026]] .SH Examples .IP "\(bu" 3 Generate a new secret key: .LP .EX # nix key generate-secret --key-name cache.example.org-1 > ./secret-key .EE .IP We can then use this key to sign the closure of the Hello package: .LP .EX # nix build nixpkgs#hello # nix store sign --key-file ./secret-key --recursive ./result .EE .IP Finally, we can verify the store paths using the corresponding public key: .LP .EX # nix store verify --trusted-public-keys $(nix key convert-secret-to-public < ./secret-key) ./result .EE .SH Description .LP This command generates a new Ed25519 secret key for signing store paths and prints it on standard output. Use \f(CRnix key convert-secret-to-public\fR to get the corresponding public key for verifying signed store paths. .PP The mandatory argument \f(CR--key-name\fR specifies a key name (such as \f(CRcache.example.org-1\fR). It is used to look up keys on the client when it verifies signatures. It can be anything, but it’s suggested to use the host name of your cache (e.g. \f(CRcache.example.org\fR) with a suffix denoting the number of the key (to be incremented every time you need to revoke a key). .SH Format .LP Both secret and public keys are represented as the key name followed by a base-64 encoding of the Ed25519 key data, e.g. .LP .EX cache.example.org-0:E7lAO+MsPwTFfPXsdPtW8GKui/5ho4KQHVcAGnX+Tti1V4dUxoVoqLyWJ4YESuZJwQ67GVIksDt47og+tPVUZw== .EE .SH Options .IP "\(bu" 3 \fB\f(CR--key-name\fR\fR \fIname\fR .IP Identifier of the key (e.g. \f(CRcache.example.org-1\fR). .SS Logging-related options .IP "\(bu" 3 \fB\f(CR--debug\fR\fR .IP Set the logging verbosity level to \(oqdebug\(cq. .IP "\(bu" 3 \fB\f(CR--log-format\fR\fR \fIformat\fR .IP Set the format of log output; one of \f(CRraw\fR, \f(CRinternal-json\fR, \f(CRbar\fR or \f(CRbar-with-logs\fR. .IP "\(bu" 3 \fB\f(CR--print-build-logs\fR\fR / \f(CR-L\fR .IP Print full build logs on standard error. .IP "\(bu" 3 \fB\f(CR--quiet\fR\fR .IP Decrease the logging verbosity level. .IP "\(bu" 3 \fB\f(CR--verbose\fR\fR / \f(CR-v\fR .IP Increase the logging verbosity level. .SS Miscellaneous global options .IP "\(bu" 3 \fB\f(CR--help\fR\fR .IP Show usage information. .IP "\(bu" 3 \fB\f(CR--offline\fR\fR .IP Disable substituters and consider all previously downloaded files up-to-date. .IP "\(bu" 3 \fB\f(CR--option\fR\fR \fIname\fR \fIvalue\fR .IP Set the Nix configuration setting \fIname\fR to \fIvalue\fR (overriding \f(CRnix.conf\fR). .IP "\(bu" 3 \fB\f(CR--refresh\fR\fR .IP Consider all previously downloaded files out-of-date. .IP "\(bu" 3 \fB\f(CR--version\fR\fR .IP Show version information. .RS .LP \fBNote\fR .PP See \fB\f(CRman nix.conf\fR\fR for overriding configuration settings with command line flags. .RE