Module nix_compat::narinfo

NAR info files describe a store path in a traditional Nix binary cache. Over the wire, they are formatted as “Key: value” pairs separated by newlines.

It contains four kinds of information:

1. the description of the store path itself
   • store path prefix, digest, and name
   • NAR hash and size
   • references
2. authenticity information
   • zero or more signatures over that description
   • an optional CAHash for content-addressed paths (fixed outputs, sources, and derivations)
3. derivation metadata
   • deriver (the derivation that produced this path)
   • system (the system value of that derivation)
4. cache-specific information
   • URL of the compressed NAR, relative to the NAR info file
   • compression algorithm used for the NAR
   • hash and size of the compressed NAR

Modules

• fingerprint 🔒
• signature 🔒
• signing_keys 🔒
  This module provides tooling to parse private key (pairs) produced by Nix and its nix-store --generate-binary-cache-key name path.secret path.pub command. It produces ed25519_dalek keys, but the NarInfo::add_signature function is generic, allowing other signers.
• verifying_keys 🔒
  This module defines data structures and parsers for the public key format used inside Nix to verify signatures on .narinfo files.

Structs

• Flags
  TODO(edef): be conscious of these when roundtripping
• NarInfo
• Signature
• SigningKey
• VerifyingKey
  This represents a ed25519 public key and “name”. These are normally passed in the trusted-public-keys Nix config option, and consist of a name and base64-encoded ed25519 pubkey, separated by a :.

Enums

• Error
• SignatureError
• SigningKeyError
• VerifyingKeyError

Functions

• fingerprint
  Computes the fingerprint string for certain fields in a super::NarInfo. This fingerprint is signed by an ed25519 key, and in the case of a Nix HTTP Binary cache, included in the NARInfo files served from there.
• parse_keypair
  Parses a SigningKey / VerifyingKey from a byte slice in the format that Nix uses.