From 5762f8f95c802165d374ece8154a6a79aa9a70a0 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Thu, 19 Feb 2015 14:15:02 +0100
Subject: [PATCH] Add options to support signed binary caches

Typical use:

    nix.requireSignedBinaryCaches = true;
    nix.binaryCachePublicKeys = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ];

(The public key of cache.nixos.org is included by default.)

Note that this requires Nix 1.9 and that most of cache.nixos.org
hasn't been signed yet.
---
 nixos/modules/services/misc/nix-daemon.nix | 33 ++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix
index 81fabd1923f9..f231998d8f47 100644
--- a/nixos/modules/services/misc/nix-daemon.nix
+++ b/nixos/modules/services/misc/nix-daemon.nix
@@ -41,6 +41,10 @@ let
         build-chroot-dirs = ${toString cfg.chrootDirs} /bin/sh=${sh} $(echo $extraPaths)
         binary-caches = ${toString cfg.binaryCaches}
         trusted-binary-caches = ${toString cfg.trustedBinaryCaches}
+        binary-cache-public-keys = ${toString cfg.binaryCachePublicKeys}
+        ${optionalString cfg.requireSignedBinaryCaches ''
+          signed-binary-caches = *
+        ''}
         $extraOptions
         END
       '';
@@ -244,6 +248,33 @@ in
         '';
       };
 
+      requireSignedBinaryCaches = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          If enabled, Nix will only download binaries from binary
+          caches if they are cryptographically signed with any of the
+          keys listed in
+          <option>nix.binaryCachePublicKeys</option>. If disabled (the
+          default), signatures are neither required nor checked, so
+          it's strongly recommended that you use only trustworthy
+          caches and https to prevent man-in-the-middle attacks.
+        '';
+      };
+
+      binaryCachePublicKeys = mkOption {
+        type = types.listOf types.str;
+        example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ];
+        description = ''
+          List of public keys used to sign binary caches. If
+          <option>nix.requireSignedBinaryCaches</option> is enabled,
+          then Nix will use a binary from a binary cache if and only
+          if it is signed by <emphasis>any</emphasis> of the keys
+          listed here. By default, only the key for
+          <uri>cache.nixos.org</uri> is included.
+        '';
+      };
+
     };
 
   };
@@ -253,6 +284,8 @@ in
 
   config = {
 
+    nix.binaryCachePublicKeys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
+
     environment.etc."nix/nix.conf".source = nixConf;
 
     # List of machines for distributed Nix builds in the format