Nix: Allow sign-paths to take the signing key from an environment variable

Created on 24 Feb 2019  Â·  4Comments  Â·  Source: NixOS/nix

It would be nice if the nix sign-paths command could be used to sign keys without writing the signing key to a file, but instead using an environment variable, e.g. NIX_SIGNING_KEY. This would be useful for e.g. automated CI workflows, where I'd like to inject the key into the build environment, sign some paths, copy a closure, and kill the CI system.

picture thoughtpolice
👍1

All 4 comments

:-1: I don't see any real benefit to this. Since the command needs to be invoked in a script or something anyway, one can just echo "$NIX_SIGNING_KEY" > priv.key && nix sign-paths -k priv.key ….

lheckemann picture lheckemann on 22 Mar 2019
👎3

I do see a real benefit of not having to depend on a disk subsystem just to provide the command with the same data that is already available in a session environment.

avanov picture avanov on 8 Oct 2020

A tmpfs such as /run can be used for storing information in a filesystem without it being written to disk.

lheckemann picture lheckemann on 9 Oct 2020

it's still a FS, why does a nix process has to rely on FS API to access the keys if it's already provided with an environment from which it can read the data directly?

avanov picture avanov on 11 Oct 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

eqyiel picture eqyiel  Â·  3Comments
ihsanturk picture ihsanturk  Â·  3Comments
vaibhavsagar picture vaibhavsagar  Â·  3Comments
bflyblue picture bflyblue  Â·  3Comments
copumpkin picture copumpkin  Â·  3Comments